Updates from: 10/22/2022 01:10:08
Category Microsoft Docs article Related commit history on GitHub Change details
compliance Alert Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/alert-policies.md
The tables also indicate the Office 365 Enterprise and Office 365 US Government
|Name|Description|Severity|Automated investigation|Enterprise subscription| ||||||
-|**A potentially malicious URL click was detected**|Generates an alert when a user protected by [Safe Links](/microsoft-365/security/office-365-security/safe-links) in your organization clicks a malicious link. This alert is generated when a user clicks on a link and this event triggers a URL verdict change identification by Microsoft Defender for Office 365. This alert automatically triggers [automated investigation and response in Office 365](/microsoft-365/security/office-365-security/office-365-air). For more information on events that trigger this alert, see [Set up Safe Links policies](/microsoft-365/security/office-365-security/set-up-safe-links-policies).|High|Yes|E5/G5 or Defender for Office 365 P2 add-on subscription|
+|**A potentially malicious URL click was detected**|Generates an alert when a user protected by [Safe Links](/microsoft-365/security/office-365-security/safe-links) in your organization clicks a malicious link. This alert is generated when a user clicks on a link and this event triggers a URL verdict change identification by Microsoft Defender for Office 365. It also checks for any clicks in the past 48 hours from the time the malicious URL verdict is identified, and generates alerts for the clicks that happened in the 48-hour timeframe for that malicious link. This alert automatically triggers [automated investigation and response in Office 365](/microsoft-365/security/office-365-security/office-365-air). For more information on events that trigger this alert, see [Set up Safe Links policies](/microsoft-365/security/office-365-security/set-up-safe-links-policies).|High|Yes|E5/G5 or Defender for Office 365 P2 add-on subscription|
|**A user clicked through to a potentially malicious URL**|Generates an alert when a user protected by [Safe Links](/microsoft-365/security/office-365-security/safe-links) in your organization clicks a malicious link. This event is triggered when user clicks on a URL (which is identified as malicious or pending validation) and overrides the Safe Links warning page (based on your organization's Microsoft 365 for business Safe Links policy) to continue to the URL hosted page / content. For Defender for Office 365 P2, E5, G5 customers, this alert automatically triggers [automated investigation and response in Office 365](/microsoft-365/security/office-365-security/office-365-air). For more information on events that trigger this alert, see [Set up Safe Links policies](/microsoft-365/security/office-365-security/set-up-safe-links-policies).|High|Yes|E5/G5 or Defender for Office 365 P2 add-on subscription| |**Admin submission result completed**|Generates an alert when an [Admin Submission](../security/office-365-security/admin-submission.md) completes the rescan of the submitted entity. An alert will be triggered every time a rescan result is rendered from an Admin Submission. <br/><br/> These alerts are meant to remind you to [review the results of previous submissions](https://compliance.microsoft.com/reportsubmission), submit user reported messages to get the latest policy check and rescan verdicts, and help you determine if the filtering policies in your organization are having the intended impact.|Informational|No|E1/F1, E3/F3, or E5| |**Admin triggered manual investigation of email**|Generates an alert when an admin triggers the manual investigation of an email from Threat Explorer. For more information, see [Example: A security administrator triggers an investigation from Threat Explorer](../security/office-365-security/automated-investigation-response-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer). <br/><br/> This alert notifies your organization that the investigation was started. The alert provides information about who triggered it and includes a link to the investigation.|Informational|Yes|E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription|
compliance Classifier Tc Definitions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/classifier-tc-definitions.md
ms.localizationpriority: medium - purview-compliance
+- tier2
- m365solution-mip - m365initiative-compliance
description: "This is a list of all trainable classifiers, their definitions and
# Trainable classifiers definitions
-Microsoft Purview comes with multiple pre-trained classifiers:
+Microsoft Purview comes with multiple pre-trained classifiers. They appear in the **Microsoft Purview compliance portal** \> **Data classification** \> **Trainable classifiers** view with the status of `Ready to use`.
- **Adult, racy, and gory**: Detects images of these types. The images must be between 50 kilobytes (KB) and 4 megabytes (MB) in size and be greater than 50 x 50 pixels in height x width dimensions. Scanning and detection are supported for Exchange Online email messages, and Microsoft Teams channels and chats. Detects content in .jpeg, .png, .gif, and .bmp files.
Microsoft Purview comes with multiple pre-trained classifiers:
- **Construction specifications (preview)**: Detects construction specifications for commercial and industrial projects like factories, plants, commercial offices, airports, roads. Captures guidelines on the quality, quantity, types of building material, processes etc. Detects content in .docx, .docm, .doc, .dotx, .dotm, .dot, .pdf, .rtf, .txt, .one, .msg, .eml, .pptx, .pptm, .ppt, .potx, .potm, .pot, .ppsx, .ppsm, .pps, .ppam, .ppa files.
+- **Corporate Sabotage (preview)**: Detects messages that may mention acts to damage or destroy corporate assets or property. This classifier can help customers manage regulatory compliance obligations such as NERC Critical Infrastructure Protection standards or state by state regulations like Chapter 9.05 RCW in Washington state. Detects content in .msg, .docx, .pdf, .txt, .rtf, .jpeg, .jpg, .png, .gif, .bmp, .svg files.
+> [!IMPORTANT]
+> While in preview, this classifier may capture a large volume of bulk sender/newsletter content due to a known issue. While they're in preview, you can address large volumes of bulk sender/newsletter content by adding the **Message is not sent to any of these domains condition** with a list of domains to exclude.
+ - **Customer complaints**: The customer complaints classifier detects feedback and complaints made about your organization's products or services. This classifier can help you meet regulatory requirements on the detection and triage of complaints, like the Consumer Financial Protection Bureau and Food and Drug Administration requirements. For Communications Compliance, it detects content in .msg, and .eml files. For the rest of Microsoft Purview Information Protection services, it detects content in .docx, .pdf, .txt, .rtf, .jpg, .jpeg, .png, .gif, .bmp, .svg files. - **Discrimination**: Detects explicit discriminatory language and is sensitive to discriminatory language against the African American/Black communities when compared to other communities. This applies to Communications Compliance, it's a text based classifier.
Microsoft Purview comes with multiple pre-trained classifiers:
- **Financial Statement (preview)**: Detects financial statements like income statement, balance sheet, cash flow statement, statement of changes in equity. Detects content in .docx, .docm, .doc, .dotx, .dotm, .dot, .pdf, .rtf, .txt, .xlsx, .xlsm, .xlsb, .xls, .csv, .xltx, .xltm, .xlt, .xlam, .xla files.
+- **Gifts & entertainment (preview)**: Detects messages that may suggest exchanging gifts or entertainment in return for service, which violates regulations related to bribery. This classifier can help customers manage regulatory compliance obligations such as Foreign Corrupt Practices Act (FCPA), UK Bribery Act and FINRA Rule 2320. Detects content in .msg, .docx, .pdf, .txt, .rtf, .jpeg, .jpg, .png, .gif, .bmp, .svg files.
+> [!IMPORTANT]
+> While in preview, this classifier may capture a large volume of bulk sender/newsletter content due to a known issue. While they're in preview, you can address large volumes of bulk sender/newsletter content by adding the **Message is not sent to any of these domains condition** with a list of domains to exclude.
+ - **Harassment**: Detects a specific category of offensive language text items related to offensive conduct targeting one or multiple individuals based on the following traits: race, ethnicity, religion, national origin, gender, sexual orientation, age, disability. Detects content in .msg, .docx, .pdf, .txt, .rtf, .jpeg, .jpg, .png, .gif, .bmp, .svg files. - **Health/Medical forms (preview)**: Detects various forms and files that are used for systematic documentation of a patient's admission details, medical history, patient information and prior authorization request and are typically used in medical/health services. Detects content in .docx, .docm, .doc, .dotx, .dotm, .dot, .pdf, .rtf, .txt, .one, .msg, .eml, .pptx, .pptm, .ppt, .potx, .potm, .pot, .ppsx, .ppsm, .pps, .ppam, .ppa files.
Microsoft Purview comes with multiple pre-trained classifiers:
- **Meeting Notes** (preview): This classifier detects meeting notes. Detects content in .docx, .docm, .doc, .dotx, .dotm, .dot, .pdf, .rtf, .txt, .one, .msg, .eml, .pptx, .pptm, .ppt, .potx, .potm, .pot, .ppsx, .ppsm, .pps, .ppam, .ppa files.
+- **Money laundering (preview)**: Detects signs that may suggest money laundering or engagement in acts to conceal or disguise the origin or destination of proceeds. This classifier can help customers manage regulatory compliance obligations such as the Bank Secrecy Act, the USA Patriot Act, FINRA Rule 3310 and Anti-Money Laundering Act of 2020. Detects content in .msg, .docx, .pdf, .txt, .rtf, .jpeg, .jpg, .png, .gif, .bmp, .svg files.
+> [!IMPORTANT]
+> While in preview, this classifier may capture a large volume of bulk sender/newsletter content due to a known issue. While they're in preview, you can address large volumes of bulk sender/newsletter content by adding the **Message is not sent to any of these domains condition** with a list of domains to exclude.
- **Network Design files (preview)**: This classifier detects technical documentation about networks of computers including various components of network, how they're connected, their architecture, how they perform and where they troubleshoot Detects content in .docx, .docm, .doc, .dotx, .dotm, .dot, .pdf, .rtf, .txt, .one, .msg, .eml, .pptx, .pptm, .ppt, .potx, .potm, .pot, .ppsx, .ppsm, .pps, .ppam, .ppa files.
Microsoft Purview comes with multiple pre-trained classifiers:
- **Profanity**: Detects a specific category of offensive language text items that contain expressions that embarrass most people. Detects content in .msg, .docx, .pdf, .txt, .rtf, .jpeg, .jpg, .png, .gif, .bmp, .svg files.
+- **Regulatory collusion (preview)**: Detects messages that may violate regulatory anti-collusion requirements such as an attempted concealment of sensitive information. This classifier can help customers manage regulatory compliance obligations such as the Sherman Antitrust Act, Securities Exchange Act 1933, Securities Exchange Act of 1934, Investment Advisers Act of 1940, Federal Commission Act, and Robinson-Patman Act. Detects content in .msg, .docx, .pdf, .txt, .rtf, .jpeg, .jpg, .png, .gif, .bmp, .svg files.
+> [!IMPORTANT]
+> While in preview, this classifier may capture a large volume of bulk sender/newsletter content due to a known issue. While they're in preview, you can address large volumes of bulk sender/newsletter content by adding the **Message is not sent to any of these domains condition** with a list of domains to exclude.
+ - **Resume**: This classifier detects resume. A resume is a document that a job applicant provides an employer, which has a detailed statement of the candidate's prior work experience, education, and accomplishments. Detects content in .docx, .docm, .doc, .dotx, .dotm, .dot, .pdf, .txt files. - **Sales and revenue (preview)**: This classifier detects sales reports, revenue/income statement and sales/demand forecasting reports for organizations. Detects content in .docx, .docm, .doc, .dotx, .dotm, .dot, .pdf, .rtf, .txt, .one, .pptx, .pptm, .ppt, .potx, .potm, .pot, .ppsx, .ppsm, .pps, .ppam, .ppa files. - - **Software Product Development Files (preview)**: This classifier detects files used in software development including product requirements document, product testing and planning, files including test cases, and test reports. Detects content in .docx, .docm, .doc, .dotx, .dotm, .dot, .pdf, .rtf, .txt, .one, .msg, .eml files. - **Source code**: detects items that contain a set of instructions and statements written computer programming languages on GitHub: ActionScript, C, C#, C++, Clojure, CoffeeScript, Go, Haskell, Java, JavaScript, Lua, MATLAB, Objective-C, Perl, PHP, Python, R, Ruby, Scala, Shell, Swift, TeX, Vim Script. Detects content in .msg, .as, .h, .c, .cs, .cc, .cpp, .hpp, .cxx, .hh, .c++, .clj, .edn, .cljc, .cljs, .coffee, .litcoffee, .go, .hs, .lhs, .java, .jar, .js, .mjs, .lua, .m, .mm, .pl, .pm, .t, .xs, .pod, .php, .phar, .php4, .pyc, .R, .r, .rda, .RData, .rds, .rb, .scala, .sc, .sh, .swift files.
Microsoft Purview comes with multiple pre-trained classifiers:
- **Statement of Work (preview)**: This classifier detects statement of work containing details like requirements, responsibilities, terms and conditions for both parties. Detects content in .docx, .docm, .doc, .dotx, .dotm, .dot, .pdf, .rtf, .txt files.
+- **Stock manipulation (preview)**: Detects signs of possible stock manipulation, such as recommendations to buy, sell or hold stocks that may suggest an attempt to manipulate the stock price. This classifier can help customers manage regulatory compliance obligations such as the Securities Exchange Act of 1934, FINRA Rule 2372, and FINRA Rule 5270. Detects content in .msg, .docx, .pdf, .txt, .rtf, .jpeg, .jpg, .png, .gif, .bmp, .svg files.
+> [!IMPORTANT]
+> While in preview, this classifier may capture a large volume of bulk sender/newsletter content due to a known issue. While they're in preview, you can address large volumes of bulk sender/newsletter content by adding the **Message is not sent to any of these domains condition** with a list of domains to exclude.
+ - **Tax**: Detects tax related content such as tax planning, tax forms, tax filing, tax regulations. Detects content in .docx, .docm, .doc, .dotx, .dotm, .dot, .pdf, .rtf, .txt, .one, .msg, .eml, .pptx, .pptm, .ppt, .potx, .potm, .pot, .ppsx, .ppsm, .pps, .ppam, .ppa, .xlsx, .xlsm, .xlsb, .xls, .csv, .xltx, .xltm, .xlt, .xlam, xla files. - **Threat**: Detects a specific category of offensive language text items related to threats to commit violence or do physical harm or damage to a person or property. Detects content in .msg, .docx, .pdf, .txt, .rtf, .jpeg, .jpg, .png, .gif, .bmp, .svg files.
-These classifiers appear in the **Microsoft Purview compliance portal** \> **Data classification** \> **Trainable classifiers** view with the status of `Ready to use`.
+- **Unauthorized disclosure (preview)**: Detects sharing of information containing content that is explicitly designated as confidential or internal to unauthorized individuals. This classifier can help customers manage regulatory compliance obligations such as FINRA Rule 2010 and SEC Rule 10b-5. Detects content in .msg, .docx, .pdf, .txt, .rtf, .jpeg, .jpg, .png, .gif, .bmp, .svg files.
+> [!IMPORTANT]
+> While in preview, this classifier may capture a large volume of bulk sender/newsletter content due to a known issue. While they're in preview, you can address large volumes of bulk sender/newsletter content by adding the **Message is not sent to any of these domains condition** with a list of domains to exclude.
+++
-![classifiers-pre-trained-classifiers.](../media/classifiers-ready-to-use-classifiers.png)
> [!IMPORTANT] > Please note that the built-in trainable and global classifiers don't provide an exhaustive or complete list of terms or language across these areas. Further, language and cultural standards continually change, and in light of these realities, Microsoft reserves the right to update these classifiers in its discretion. While classifiers may assist your organization in detecting these areas, classifiers are not intended to provide your organization's sole means of detecting or addressing the use of such language. Your organization, not Microsoft or its subsidiaries, remains responsible for all decisions related to monitoring, scanning, blocking, removal, and retention of any content identified by a pre-trained classifier, including compliance with local privacy and other applicable laws. Microsoft encourages consulting with legal counsel before deployment and use.
-Our Threat, Profanity, Harassment, and Discrimination classifiers can scan content in these languages:
+Our Threat, Profanity, and Harassment classifiers can scan content in these languages:
- Arabic - Chinese (Simplified)
compliance Dlp Configure Endpoint Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-configure-endpoint-settings.md
This feature is available for devices running any of the following Windows versi
You can define removeable storage devices by these parameters: - Storage device friendly name - Get the Friendly name value from the storage device property details in device manager.-- USB product ID - Get the Device Instance path value from the printer device property details in device manager. Convert it to Product ID and Vendor ID format, see [Standard USB identifiers](/windows-hardware/drivers/install/standard-usb-identifiers).-- USB vendor ID - Get the Device Instance path value from the printer device property details in device manager. Convert it to Product ID and Vendor ID format, see [Standard USB identifiers](/windows-hardware/drivers/install/standard-usb-identifiers).
+- USB product ID - Get the Device Instance path value from the USB device property details in device manager. Convert it to Product ID and Vendor ID format, see [Standard USB identifiers](/windows-hardware/drivers/install/standard-usb-identifiers).
+- USB vendor ID - Get the Device Instance path value from the USB device property details in device manager. Convert it to Product ID and Vendor ID format, see [Standard USB identifiers](/windows-hardware/drivers/install/standard-usb-identifiers).
- Serial number ID - Get the serial number ID value from the storage device property details in device manager. - Device ID - Get the device ID value from the storage device property details in device manager. - Instance path ID - Get the device ID value from the storage device property details in device manager.
compliance Insider Risk Management Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-policies.md
Complete the following steps to copy an existing policy:
## Immediately start scoring security-related user activity
-There may be scenarios where you need to immediately start assigning risk scores to users with insider risk policies outside of the insider risk management triggering event workflow. Use **Start scoring activity for users** on the **Policies** tab to manually add a user (or users) to one or more insider risk policies for a specific amount of time, to immediately start assigning risk scores to their activity, and to bypass the requirement for a user to have a triggering indicator (like a DLP policy match). You can also add a reason for adding the user to the policy, which will appear on the users' activity timeline. Users manually added to policies are displayed in the **Users** dashboard and alerts are created if activity meets the policy alert thresholds.
+There may be scenarios where you need to immediately start assigning risk scores to users with insider risk policies outside of the insider risk management triggering event workflow. Use **Start scoring activity for users** on the **Policies** tab to manually add a user (or users) to one or more insider risk policies for a specific amount of time, to immediately start assigning risk scores to their activity, and to bypass the requirement for a user to have a triggering indicator (like a DLP policy match). You can also add a reason for adding the user to the policy, which will appear on the users' activity timeline. Users manually added to policies are displayed in the **Users** dashboard and alerts are created if activity meets the policy alert thresholds. You can add up to 4,000 users per policy when adding users for immediate scoring.
Some scenarios where you may want to immediately start scoring user activities:
contentunderstanding Content Assembly Edit Template https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/content-assembly-edit-template.md
+
+ Title: Edit a modern template in Microsoft Syntex
+++
+audience: admin
+++
+search.appverid:
+
+ - enabler-strategic
+ - m365initiative-syntex
+ms.localizationpriority: medium
+description: Learn how to edit a modern template in Microsoft Syntex.
++
+# Edit a modern template in Microsoft Syntex
+
+If you need to edit an existing template or to delete or unpublish a template, follow these steps.
+
+1. From a SharePoint document library, select **New** > **Edit New menu**.
+
+ ![Screenshot of document library with the Edit New menu option highlighted.](../media/content-understanding/content-assembly-edit-template-1.png)
+
+2. On the **Edit New menu** panel, in the **Modern templates** section, select the published or draft template you want to edit.
+
+ ![Screenshot of the Edit New menu panel showing the Modern templates section.](../media/content-understanding/content-assembly-edit-template-2.png)
+
+3. To edit a published template or a draft template:
+
+ - For **Published templates**, select **Edit** to open the template studio where you can edit the published template. You can also choose to delete or unpublish the template.
+
+ ![Screenshot of the Modern templates section showing the published templates.](../media/content-understanding/content-assembly-edit-published.png)
+
+ - For **Draft templates**, select **Edit** to open the template studio where you can edit the draft template. You can also choose to delete or publish the template.
+
+ ![Screenshot of the Modern templates section showing the draft templates.](../media/content-understanding/content-assembly-edit-draft.png)
+
contentunderstanding Content Assembly Modern Template https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/content-assembly-modern-template.md
When you have completed adding all relevant fields to the template and you want
2. To view, edit, or unpublish *published* templates from the **Published templates** dropdown menu in the **Modern templates** section, select **New** > **Edit New menu** from the document library.
-## Edit a modern template
+## See also
-If you need to edit an existing template or to delete or unpublish a template, follow these steps.
-
-1. From a SharePoint document library, select **New** > **Edit New menu**.
-
- ![Screenshot of document library with the Edit New menu option highlighted.](../media/content-understanding/content-assembly-edit-template-1.png)
-
-2. On the **Edit New menu** panel, in the **Modern templates** section, select the published or draft template you want to edit.
-
- ![Screenshot of the Edit New menu panel showing the Modern templates section.](../media/content-understanding/content-assembly-edit-template-2.png)
-
-3. To edit a published template or a draft template:
-
- - For **Published templates**, select **Edit** to open the template studio where you can edit the published template. You can also choose to delete or unpublish the template.
-
- ![Screenshot of the Modern templates section showing the published templates.](../media/content-understanding/content-assembly-edit-published.png)
-
- - For **Draft templates**, select **Edit** to open the template studio where you can edit the draft template. You can also choose to delete or publish the template.
-
- ![Screenshot of the Modern templates section showing the draft templates.](../media/content-understanding/content-assembly-edit-draft.png)
-
-> [!div class="nextstepaction"]
-> [Next step > Create a document from a modern template](content-assembly-create-document.md)
+[Edit a modern template](content-assembly-edit-template.md)
enterprise Modern Auth For Office 2013 And 2016 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/modern-auth-for-office-2013-and-2016.md
For Click-to-run based installations you *must* have the following software inst
|||| |MSO.DLL |C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonx86\Microsoft Shared\OFFICE15\MSO.DLL |15.0.4753.1001 | |CSI.DLL |CSI.DLL C:\Program Files\Microsoft Office 15\root\office15\csi.dll |15.0.4753.1000 |
-|Groove.EXE |C:\Program Files\Microsoft Office 15\root\office15\GROOVE.exe |15.0.4763.1000 |
+|Groove.EXE* |C:\Program Files\Microsoft Office 15\root\office15\GROOVE.exe |15.0.4763.1000 |
|Outlook.exe |C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.exe |15.0.4753.1002 | |ADAL.DLL |C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonx86\Microsoft Shared\OFFICE15\ADAL.DLL |1.0.2016.624 | |Iexplore.exe |C:\Program Files\Internet Explorer |varies |
+\* If the Groove.EXE component is not present in your Office installation, it doesn't need to be installed for ADAL to work. However, if it is present, then the build for Groove.EXE listed here is required.
+ ### MSI-based installations For MSI-based installations the following software *must* be installed at the file version listed below, or a *later* file version. If your file version is not equal to, or greater than, the file version listed below, update using the link in the *Update KB Article* column.
For MSI-based installations the following software *must* be installed at the fi
|File name |Install path on your computer |Where to get the update |Version | |||||
-|MSO.DLL|C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSO.DLL |[KB3085480](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fkb%2F3085480&data=05%7C01%7Cmeerak%40microsoft.com%7Cbfbfa82510d542bc83c808dab07f400b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638016357854522241%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=kpOu5cLXGFtynjGMejN2rk89wNQCezFHKTwf1BkwiBI%3D&reserved=0) |15.0.4753.1001 |
-|CSI.DLL|C:\Program Files\Common Files\Microsoft Shared\OFFICE15\Csi.dll |[KB3085504](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fkb%2F3085504&data=05%7C01%7Cmeerak%40microsoft.com%7Cbfbfa82510d542bc83c808dab07f400b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638016357854522241%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=CdsLij5YpLUk3ZPGSLqJolHyNkvuJ7pAJjUwiwXrtEs%3D&reserved=0) |15.0.4753.1000 |
-|Groove.exe|C:\Program Files\Microsoft Office\Office15\GROOVE.EXE |[KB3085509](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fkb%2F3085509&data=05%7C01%7Cmeerak%40microsoft.com%7Cbfbfa82510d542bc83c808dab07f400b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638016357854679005%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=pJFCjaVvlM0bmBjHSZ6neKQJbOYwTJzHHwB0XDLrfWs%3D&reserved=0) |15.0.4763.1000 |
-|Outlook.exe|C:\Program Files\Microsoft Office\Office15\OUTLOOK.EXE |[KB3085495](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fkb%2F3085495&data=05%7C01%7Cmeerak%40microsoft.com%7Cbfbfa82510d542bc83c808dab07f400b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638016357854679005%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=JHsuqm3lrYwE1DA1kZzBDym%2F3pY%2FFNTUlSkwhho1rWU%3D&reserved=0) |15.0.4753.1002 |
-|ADAL.DLL|C:\Program Files\Common Files\Microsoft Shared\OFFICE15\ADAL.DLL |[KB3055000](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fkb%2F3055000&data=05%7C01%7Cmeerak%40microsoft.com%7Cbfbfa82510d542bc83c808dab07f400b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638016357854679005%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=tm7iaJP%2BA3h%2BYvNQyzhQKLMgNUojihYdCxUnfDBDd4A%3D&reserved=0) |1.0.2016.624 |
-|Iexplore.exe|C:\Program Files\Internet Explorer |[MS14-052](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.mi1.0.2016.624crosoft.com%2Fen-us%2Fkb%2F2977629&data=05%7C01%7Cmeerak%40microsoft.com%7Cbfbfa82510d542bc83c808dab07f400b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638016357854679005%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=dXZr3ft6w6%2FLVfke6b1WDRY%2BI7RCFebPeFDyWN8OMC0%3D&reserved=0) |Not applicable |
+|MSO.DLL|C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSO.DLL |[KB3085480](https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-office-2013-september-10-2019-0d171ba2-2eba-a2ca-a54d-c0f568de6bcc) |15.0.4753.1001 |
+|CSI.DLL|C:\Program Files\Common Files\Microsoft Shared\OFFICE15\Csi.dll |[KB3172545](https://support.microsoft.com/en-us/topic/july-11-2017-update-for-office-2013-kb3172545-d6b47054-04d5-5154-40ba-3436d1e0efdb) |15.0.4753.1000 |
+|Groove.exe*|C:\Program Files\Microsoft Office\Office15\GROOVE.EXE |[KB4022226](https://support.microsoft.com/en-us/topic/august-7-2018-update-for-onedrive-for-business-for-office-2013-kb4022226-6163bb26-cbde-eb16-ac42-abfda7afbf68) |15.0.4763.1000 |
+|Outlook.exe|C:\Program Files\Microsoft Office\Office15\OUTLOOK.EXE |[KB4484096](https://support.microsoft.com/en-us/topic/october-1-2019-update-for-outlook-2013-kb4484096-6513145a-cc75-1cd1-72b7-78cb62d8476b) |15.0.4753.1002 |
+|ADAL.DLL|C:\Program Files\Common Files\Microsoft Shared\OFFICE15\ADAL.DLL |[KB3085565](https://support.microsoft.com/en-us/topic/july-5-2016-update-for-office-2013-kb3085565-1d1a6d24-fbd4-1bae-242f-a35e0e2aba40) |1.0.2016.624 |
+|Iexplore.exe|C:\Program Files\Internet Explorer |[MS14-052](https://support.microsoft.com/en-us/topic/ms14-052-cumulative-security-update-for-internet-explorer-september-9-2014-17d29b71-9e78-0bc1-8961-7b812d04e4e1) |Not applicable |
+
+\* If the Groove.EXE component is not present in your Office installation, it doesn't need to be installed for ADAL to work. However, if it is present, then the build for Groove.EXE listed here is required.
Office 2016 and Office 2019 clients support modern authentication by default, and no action is needed for the client to use these new flows. However, explicit action is needed to use legacy authentication.
The following table describes the authentication behavior for Office 2013, Offic
[Sign in to Microsoft 365 with multi-factor authentication](https://support.microsoft.com/office/sign-in-to-microsoft-365-with-multi-factor-authentication-2b856342-170a-438e-9a4f-3c092394d3cb)
-[Microsoft 365 Enterprise overview](microsoft-365-overview.md)
+[Microsoft 365 Enterprise overview](microsoft-365-overview.md)
frontline Hc Delegates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/hc-delegates.md
Title: Message delegation
+ Title: Use a Teams status message to assign a delegate
description: Learn how a user with Away status or Do Not Disturb status can expl
-# Message delegation
+# Use a Teams status message to assign a delegate
Users in Microsoft Teams can set their status to Away or Do not Disturb, and include a custom text status message. A user who's going to be away can assign someone as a delegate who people can contact instead. The message delegation feature works as follows:
Users in Microsoft Teams can set their status to Away or Do not Disturb, and inc
Users can initiate the process themselves, and no admin involvement is required to enable the feature.
+> [!NOTE]
+> Status notes and delegation mention behaviors are also available in Skype for Business, but their availability depends on the user's co-existence mode. Skype for Business doesn't enforce a character limit on status notes. However, Microsoft Teams will only display the first 280 characters of a note set from Skype for Business. An ellipses (...) at the end of a note indicates that it's been truncated. Skype for Business doesn't support expiry times for notes. <br>Skype for Business Online was retired on July 31, 2021. [Learn how to upgrade to Microsoft Teams](/microsoftteams/upgrade-start-here).
+ ## Delegation use scenario in Healthcare **Usage example without setting delegates**
Dr. Franco Piccio is on call at the radiology department. He receives an urgent
**Usage example with setting delegates** Dr. Franco Piccio is on call at the radiology department. He receives an urgent personal call and has to step away for the next couple of hours. He asks one of his peers in the radiology department, Dr. Lena Ehrle to cover for him while he's gone. He changes his custom status message to say "I am unavailable for the next few hours. Please contact @DrEhrle for any emergencies." Others on the team realize the delegation happened as they're attempting to contact Dr. Piccio, so they now know to contact Dr. Ehrle in the meantime. Little to no confusion ensues with a patient's care.-
-## Impact of co-existence modes on user status in the Teams client
-
-Status notes and delegation mention behaviors depend partly on a user's co-existence mode. This matrix shows the possibilities:
-
-|Co-Existence Mode | Expected Behavior|
-|||
-|TeamsOnly |Users can set a note only from Teams. <br> User's Teams note is visible in Teams & SfB. |
-|Islands | User's note set in Teams visible only in Teams. <br> User's note set in SfB visible only in SfB |
-|SfB* modes | Users can set a note only from SfB. <br> User's SfB note is visible in SfB & Teams. |
-
-A user can only set a note in Teams if their mode is TeamsOnly or Islands.
-
-### Displaying notes set in Skype for Business
-
-There's no visual indication that a note was set from Skype for Business.
-
-Skype for Business doesn't enforce a character limit on status notes. However, Microsoft Teams will only display the first 280 characters of a note set from Skype for Business. An ellipses (...) at the end of a note indicates that it's been truncated.
-
-Skype for Business doesn't support expiry times for notes.
-
-Migration of notes from Skype for Business to Teams isn't supported when a user is upgraded to TeamsOnly mode.
-
-## Related topics
-
-[Learn more about Coexistence with Skype for Business](/microsoftteams/coexistence-chat-calls-presence).
frontline Virtual Appointments Toolkit https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/virtual-appointments-toolkit.md
- m365-frontline - highpri
-description: Customizable resources and infographics you can add to your website to help your clients understand how to use virtual appointments with your organization.
+description: Customizable resources and infographics you can add to your website to help your clients understand how to use virtual appointments that have been scheduled in Bookings with your organization.
appliesto: - Microsoft Teams - Microsoft 365 for frontline workers
-# Help your clients and customers use virtual appointments
+# Help your clients and customers use virtual appointments scheduled with Bookings
Now that your organization has begun using Microsoft Teams and the Bookings app for virtual appointments, you'll need to make sure that your clients and customers understand how to book and join these appointments.
Make the most of virtual appointments by making sure your staff members know how
- [Learn how to use the Bookings app in Teams](https://support.microsoft.com/office/what-is-bookings-42d4e852-8e99-4d8f-9b70-d7fc93973cb5). - [Learn how to join a Bookings appointment](https://support.microsoft.com/office/join-a-bookings-appointment-attendees-3deb7bde-3ea3-4b41-8a06-741ad0db9fc0). - [Conduct an appointment](bookings-virtual-visits.md#conduct-an-appointment).-- [Watch a video about virtual appointments](#help-your-clients-and-customers-use-virtual-appointments).
+- [Watch a video about virtual appointments](#help-your-clients-and-customers-use-virtual-appointments-scheduled-with-bookings).
- [Watch a video about how to manage the queue in virtual appointments](https://go.microsoft.com/fwlink/?linkid=2202615). - [Watch a video about waiting room features in virtual appointments](https://go.microsoft.com/fwlink/?linkid=2202614).
security Linux Install Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-manually.md
In order to preview new features and provide early feedback, it is recommended t
- Install the Microsoft GPG public key: ```bash
- curl -sSL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/microsoft.gpg >
+ curl -sSL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | sudo tee /usr/share/keyrings/microsoft.gpg >
``` - Install the HTTPS driver if not already installed:
security Manage Updates Baselines Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus.md
ms.mktglfcycl: manage
ms.sitesec: library ms.pagetype: security ms.localizationpriority: high Previously updated : 10/13/2022 Last updated : 10/21/2022 audience: ITPro
We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Wind
For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images). <details>
+<summary>20221014.1</summary>
+
+&ensp;Package version: **20221014.1**<br/>
+&ensp;Platform version: **4.18.2209.7**<br/>
+&ensp;Engine version: **1.1.19700.3**<br/>
+&ensp;Signature version: **1.373.208.0**<br/>
+
+### Fixes
+- None
+
+### Additional information
+- None
+
+<br/>
+</details><details>
<summary>20220929.1</summary> &ensp;Package version: **20220929.1**<br/>
security Network Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/network-protection.md
Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](
Network protection helps protect devices from Internet-based events. Network protection is an attack surface reduction capability. It helps prevent employees from accessing dangerous domains through applications. Domains that host phishing scams, exploits, and other malicious content on the Internet are considered dangerous. Network protection expands the scope of [Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
-Network protection extends the protection in [Web protection](web-protection-overview.md) to the operating system level. It provides the web protection functionality found in Microsoft Edge to other supported browsers and non-browser applications. Network protection also provides visibility and blocking of indicators of compromise (IOCs) when used with [Endpoint detection and response](overview-endpoint-detection-response.md). For example, network protection works with your [custom indicators](manage-indicators.md) that you can use to block specific domains or host names.
+Network protection extends the protection in [Web protection](web-protection-overview.md) to the operating system level, and is a core component for Web Content Filtering (WCF). It provides the web protection functionality found in Microsoft Edge to other supported browsers and non-browser applications. Network protection also provides visibility and blocking of indicators of compromise (IOCs) when used with [Endpoint detection and response](overview-endpoint-detection-response.md). For example, network protection works with your [custom indicators](manage-indicators.md) that you can use to block specific domains or host names.
+
+### Network protection coverage
+
+The following table summarizes network protection areas of coverage.
+
+| Feature | Microsoft Edge | 3rd-party browsers | Non-browser processes <br> (e.g. PowerShell) |
+|:|:|:|:|
+| Web Threat Protection | SmartScreen must be enabled | NP has to be in block mode | NP has to be in block mode |
+| Custom Indicators | SmartScreen must be enabled | NP has to be in block mode | NP has to be in block mode |
+| Web Content Filtering | SmartScreen must be enabled | NP has to be in block mode | Not supported |
> [!NOTE]
+> Network protection does not monitor msedge.exe on Windows devices.
+> For Mac and Linux, you must have network protection in block mode to get support for these features in Edge.
> For processes other than Microsoft Edge and Internet Explorer, web protection scenarios leverage Network Protection for inspection and enforcement:
->
> - IP is supported for all three protocols (TCP, HTTP, and HTTPS (TLS)). > - Only single IP addresses are supported (no CIDR blocks or IP ranges) in custom indicators. > - Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge).
Network protection requires Windows 10 or 11 (Pro or Enterprise), Windows Server
| Windows version | Microsoft Defender Antivirus | |:|:|
-| Windows 10 version 1709 or later <br/> Windows 11 <br/> Windows Server 1803 or later | Make sure that [Microsoft Defender Antivirus real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) are enabled (active). |
+| Windows 10 version 1709 or later, Windows 11, Windows Server 1803 or later | Make sure that [Microsoft Defender Antivirus real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) are enabled (active) |
+| Windows Server 2012 R2 and Windows Server 2016 with the unified agent | Platform Update version 4.18.2001.x.x or newer |
## Why network protection is important
With indicators in Defender for Endpoint, administrators can allow end users to
:::image type="content" source="images/network-protection-smart-screen-block-notification.png" alt-text="Windows Security notification for network protection.":::
-Microsoft Defender for Endpoint administrators can configure SmartScreen Unblock functionality in the [Microsoft 365 Defender portal](https://security.microsoft.com) using an "allow" indicator for IPs, URLs, and domains.
+Microsoft Defender for Endpoint administrators can configure SmartScreen Unblock functionality in the [Microsoft 365 Defender portal](https://security.microsoft.com) using an "allow" indicator for IPs, URLs, and domains.
:::image type="content" source="images/network-protection-smart-screen-block-configuration.png" alt-text="Network protection SmartScreen block configuration ULR and IP form.":::
Network protection is enabled per device, which is typically done using your man
> [!NOTE] > Microsoft Defender Antivirus must be active to enable network protection.
-You can enable network protection in **Audit** mode or **Block** mode. If you want to evaluate the impact of enabling network protection before actually blocking IP addresses or URLs, you can enable network protection in Audit mode for time to gather data on what would be blocked. Audit mode logs when end users have connected to an address or site that would otherwise have been blocked by network protection.
+You can enable network protection in **Audit** mode or **Block** mode. If you want to evaluate the impact of enabling network protection before actually blocking IP addresses or URLs, you can enable network protection in Audit mode for time to gather data on what would be blocked. Audit mode logs when end users have connected to an address or site that would otherwise have been blocked by network protection. Note that in order for indicators of compromise (IoC) or Web content filtering (WCF) to work, network protection must be in ΓÇ£Block modeΓÇ¥
For information about network protection for Linux and macOS see: [Network protection for Linux](network-protection-linux.md) and [Network protection for macOS](network-protection-macos.md).
DeviceEvents
``` - :::image type="content" source="images/network-protection-advanced-hunting.png" alt-text="Advanced hunting for auditing and identifying events." lightbox="images/network-protection-advanced-hunting.png"::: > [!TIP]
DeviceEvents:
|sort by Timestamp desc ```+ The Response category tells you what caused the event, for example: | ResponseCategory | Feature responsible for the event |
Due to the multi-user nature of Windows 10 Enterprise, keep the following points
### Alternative option for network protection
-For Windows Server version 1803 or later and Windows 10 Enterprise Multi-Session 1909 and up, used in Windows Virtual Desktop on Azure, network protection for Microsoft Edge can be enabled using the following method:
+For Windows Server 2012R2/2016 unified MDE client, Windows Server version 1803 or newer, Windows Server 2019 or newer, and Windows 10 Enterprise Multi-Session 1909 and up, used in Windows Virtual Desktop on Azure, network protection for Microsoft Edge can be enabled using the following method:
1. Use [Turn on network protection](enable-network-protection.md) and follow the instructions to apply your policy.
For Windows Server version 1803 or later and Windows 10 Enterprise Multi-Session
- `Set-MpPreference -AllowNetworkProtectionDownLevel 1` - `Set-MpPreference -AllowDatagramProcessingOnWinServer 1`
+> [!NOTE]
+> In some cases, depending on your infrastructure, volume of traffic, and other conditions, `Set-MpPreference -AllowDatagramProcessingOnWinServer 1` can have an effect on network performance.
+
+### Network protection for Windows Servers
+
+Following is information specific to Windows Servers.
+
+#### Verify that network protection is enabled
+
+Verify whether network protection is enabled on a local device by using Registry Editor.
+
+1. Select the **Start** button in the task bar and type **regedit** to open the Registry Editor.
+1. Select **HKEY_LOCAL_MACHINE** from the side menu.
+1. Navigate through the nested menus to **SOFTWARE** > **Policies** > **Microsoft** > **Windows defender** > **Windows Defender Exploit Guard** > **Network Protection**.
+
+ (If the key is not present, navigate to **SOFTWARE** > **Microsoft** > **Windows Defender** > **Windows Defender Exploit Guard** > **Network Protection**)
+
+4. Select **EnableNetworkProtection** to see the current state of network protection on the device:
+
+ - 0 = Off
+ - 1 = On (enabled)
+ - 2 = Audit mode
+
+For additional information, see: [Turn on network protection](enable-network-protection.md)
+
+##### Network protection suggestion
+
+For Windows Server 2012R2/2016 unified MDE client, Windows Server version 1803 or newer, Windows Server 2019 or newer, and Windows 10 Enterprise Multi-Session 1909 and up (used in Windows Virtual Desktop on Azure), there are additional registry keys that must be enabled:
+
+**HKEY_LOCAL_MACHINE**\**SOFTWARE**\**Policies**\**Microsoft**\**Windows Defender**\**Windows Defender Exploit Guard**\**Network Protection**
+
+**AllowNetworkProtectionDownLevel** (dword) 1 (hex)
+**AllowNetworkProtectionOnWinServer** (dword) 1 (hex)
+**EnableNetworkProtection** (dword) 1 (hex)
+
+> [!NOTE]
+> Depending on your infrastructure, volume of traffic, and other conditions, **HKEY_LOCAL_MACHINE**\\**SOFTWARE**\\**Policies**\\**Microsoft**\\**Windows Defender** \\**NIS**\\**Consumers**\\**IPS** - **AllowDatagramProcessingOnWinServer (dword) 1 (hex)** can have an effect on network performance.
+
+For additional information, see: [Turn on network protection](enable-network-protection.md)
+
+#### Windows Servers and Windows Multi-session configuration requires PowerShell
+
+For Windows Servers and Windows Multi-session, there are additional items that you must enable by using PowerShell cmdlets. For Windows Server 2012R2/2016 unified MDE client, Windows Server version 1803 or newer, Windows Server 2019 or newer, and Windows 10 Enterprise Multi-Session 1909 and up, used in Windows Virtual Desktop on Azure.
+
+1. Set-MpPreference -EnableNetworkProtection Enabled
+1. Set-MpPreference -AllowNetworkProtectionOnWinServer 1
+1. Set-MpPreference -AllowNetworkProtectionDownLevel 1
+1. Set-MpPreference -AllowDatagramProcessingOnWinServer 1
+
+> [!NOTE]
+> In some cases, depending on your infrastructure, volume of traffic, and other conditions, **Set-MpPreference -AllowDatagramProcessingOnWinServer 1** can have an effect on network performance.
++ ## Network protection troubleshooting Due to the environment where network protection runs, Microsoft might not be able to detect operating system proxy settings. In some cases, network protection clients are unable to reach the cloud service. To resolve the connectivity problem, [configure a static proxy for Microsoft Defender Antivirus](configure-proxy-internet.md#configure-a-static-proxy-for-microsoft-defender-antivirus).
security Session Cookie Theft Alert https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/session-cookie-theft-alert.md
+
+ Title: Alert grading for session cookie theft alert
+description: Review, manage and grade the session cookie theft alert as True Positive (TP) or False Positive (FP), and if there is TP, take recommended actions to remediate the attack and mitigate the security risks arising because of it.
+keywords: incidents, alerts, investigate, analyze, response, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365, cookie theft, AiTM, Attacker-in-the-middle, Adversary-in-the-middle, session theft, aitm cookie theft, aitm session theft.
+search.appverid: met150
++
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+- NOCSH
++
+ms.localizationpriority: medium
+
+audience: ITPro
+
+- m365-security
+- tier2
++
+- autoir
+- admindeeplinkDEFENDER
+++
+# Alert grading for session cookie theft alert
+
+
+**Applies to:**
+- Microsoft 365 Defender
+
+This article contains information about alert grading for Session Cookie theft alerts in Microsoft 365 Defender:
+
+- **Stolen session cookie was used**
+- **Authentication request from AiTM-related phishing page**
+
+Threat actors have started using innovative ways to infiltrate their target environments. Taking inspiration from Adversary-in-the-Middle attacks, this type of attack uses phishing to steal credentials or their sign-in session in order to carry out malicious actions. BEC campaigns are an excellent example.
+
+This attack works by setting up an intermediate (phishing) site, effectively working as a proxy connection between the user and the legitimate website that the attacker is impersonating. By acting as an intermediary (proxy), the attacker is able to steal the target's password and session cookie. The attacker is therefore able to authenticate to a legitimate session as they're authenticating on behalf of the user.
+
+This playbook helps in investigating cases where suspicious behavior is observed indicative of an Attack-in-the-middle (AiTM) type of attack for cookie theft. This helps security teams like security operations center (SOC) and IT administrators to review, manage and grade the alerts as True Positive (TP) or False Positive (FP), and if it's TP, take recommended actions to remediate the attack and mitigate the security risks arising because of it.
+
+The results of using this playbook are:
+
+- You have identified the alerts associated with AiTM as malicious (TP) or benign (FP) activities.
+- If identified as malicious, you've taken the necessary action to remediate the attack.
+
+## Investigating steps
+
+1. Investigate whether the affected user has triggered any other security alerts.
+
+ - Focus on alerts that are based on geo-location anomalies for sign ins `[AadSignInEventsBeta or IdentityLogonEvents]`.
+ - Investigate for relevant sign-in events by looking at Session ID information `[AadSignInEventsBeta]`.
+ - Look for events associated with the identified (stolen) session ID to trace activities performed using the stolen cookie `[CloudAppEvents]`.
+ - Look for a time difference between sign-in activities where there's a difference in the geo-location. Multiple sessions shouldn't be possible for the same account with different locations (indicating that the session could be stolen).
+ - Check for alerts generated for the account from the corporate host.
+ - If the account is compromised, there could be alerts that preceded the compromise indicating attacks, for example, SmartScreen alerts `[NetworkConnectionEvents]`.
+
+2. Investigate suspicious behavior.
+ - Look for events indicating unusual patterns to identify suspicious patterns `[CloudAppEvents]` like uncommon properties for Users like ISP/Country/City, etc.
+ - Look for events that indicate new or previously unseen activities, such as sign-in attempts [success/failure] into new or never-before-used services, an increase in mail access activity, a change in Azure resource utilization, etc.
+ - Inspect any recent modifications in your environment starting from:
+ - Office 365 applications (like Exchange online permission changes, mail auto forwarding or redirection)
+ - PowerApps (like configuring automated data transmission through PowerAutomate)
+ - Azure environments (for example, Azure portal subscription modifications, etc.)
+ - SharePoint Online (accesses to multiple sites, or for files that have sensitive content like credential info, or financial statements), etc.)
+ - Inspect operations observed in multiple platforms (EXO, SPO, Azure, etc.) within a short time span for the affected user.
+ - For example, timelines for audit events of mail read/send operations and Azure resource allocation/modifications (new machine provisioning or adding to AAD) shouldn't coincide with each other.
+
+3. Investigate possible follow-on attacks. AiTM attacks are usually a means-to-an-end and not the endgame, so inspect your environment for other attacks that follow for the affected accounts.
+ - An example would be looking into BEC cases
+ - Look for search activities seen on the alerted user account mailbox `[CloudAppEvents]`.
+ - Search activities in the mailbox could have keywords observed in financial fraud (for example, invoices, payments, etc.), which are suspicious.
+ - Also look for inbox rules created with the intention of moving and marking as read (something along the lines of ActionType in (New-InboxRule, UpdateInboxRules, Set-InboxRule) and RawEventData has_all (MarkAsRead, MoveToFolder, Archive)).
+ - Look for mail flow events [EmailEvents & EmailUrlInfo on NetworkMessageId] where the multiple emails are sent with the same Url.
+ - Follow up with inspecting whether an increase or a high volume of mail deletion (ActivityType as Trash or Delete) is observed `[CloudAppEvents]` for the mailbox account.
+ - Matching behavior could be deemed as highly suspicious.
+ - Examine device events for Url events that match click events `[DeviceEvents on AccountName|AccountUpn]` for Office365 emails.
+ - Matching the events for click sources (for example, different IP addresses for the same Url) could be an indication of malicious behavior.
+
+## Advanced hunting queries
+
+[Advanced hunting](advanced-hunting-overview.md) is a query-based threat hunting tool that lets you inspect events in your network and locate threat indicators.
+Use these queries to gather more information related to the alert and determine whether the activity is suspicious.
+
+Ensure you have access to the following tables:
+
+- AadSignInEventsBeta - contains sign-in information for users.
+- IdentityLogonEvents - contains logon information for users.
+- CloudAppEvents - contains audit logs of user activities.
+- EmailEvents - contains mail flow/traffic information.
+- EmailUrlInfo - contains Url information contained in emails.
+- UrlClickEvents - contains Url click logs for Urls that were clicked in the emails.
+- DeviceEvents - contains device activity audit events.
+
+Use the query below to identify suspicious logon behavior:
+
+```kusto
+let OfficeHomeSessionIds =
+AADSignInEventsBeta
+| where Timestamp > ago(1d)
+| where ErrorCode == 0
+| where ApplicationId == "4765445b-32c6-49b0-83e6-1d93765276ca" //OfficeHome application
+| where ClientAppUsed == "Browser"
+| where LogonType has "interactiveUser"
+| summarize arg_min(Timestamp, Country) by SessionId;
+AADSignInEventsBeta
+| where Timestamp > ago(1d)
+| where ApplicationId != "4765445b-32c6-49b0-83e6-1d93765276ca"
+| where ClientAppUsed == "Browser"
+| project OtherTimestamp = Timestamp, Application, ApplicationId, AccountObjectId, AccountDisplayName, OtherCountry = Country, SessionId
+| join OfficeHomeSessionIds on SessionId
+| where OtherTimestamp > Timestamp and OtherCountry != Country
+```
+Use the below query for identifying uncommon countries:
+
+```kusto
+AADSignInEventsBeta
+| where Timestamp > ago(7d)
+| where ApplicationId == "4765445b-32c6-49b0-83e6-1d93765276ca" //OfficeHome application
+| where ClientAppUsed == "Browser"
+| where LogonType has "interactiveUser"
+| summarize Countries = make_set(Country) by AccountObjectId, AccountDisplayName
+```
+Use this query to find new email Inbox rules created during a suspicious sign-in session:
+
+```kusto
+//Find suspicious tokens tagged by AAD "Anomalous Token" alert
+let suspiciousSessionIds = materialize(
+AlertInfo
+| where Timestamp > ago(7d)
+| where Title == "Anomalous Token"
+| join (AlertEvidence | where Timestamp > ago(7d) | where EntityType == "CloudLogonSession") on AlertId
+| project sessionId = todynamic(AdditionalFields).SessionId);
+//Find Inbox rules created during a session that used the anomalous token
+let hasSuspiciousSessionIds = isnotempty(toscalar(suspiciousSessionIds));
+CloudAppEvents
+| where hasSuspiciousSessionIds
+| where Timestamp > ago(21d)
+| where ActionType == "New-InboxRule"
+| where RawEventData.SessionId in (suspiciousSessionIds)
+```
+
+## Recommended actions
+
+Once you determine that the alert activities are malicious, classify those alerts as True Positive (TP) and perform the following actions:
+
+- Reset the user's account credentials. Also, disable/revoke tokens for the compromised account.
+- If the artifacts that were found were related to email, configure block based on Sender IP address and Sender domains.
+ - Domains that are typo-squatted might either clear DMARC, DKIM, SPF policies (since the domain is different altogether) or they might return ΓÇ£nullΓÇ¥ results (as it's probably not configured by the threat actor).
+- Block URLs or IP addresses (on the network protection platforms) that were identified as malicious during the investigation.
+
+## See also
+
+[From cookie theft to BEC](https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/)
+
+
security Whats New In Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/whats-new-in-defender-for-office-365.md
For more information on what's new with other Microsoft Defender security produc
- **[Manage your allows and blocks in the Tenant Allow/Block List](manage-tenant-allow-block-list.md):** - With **allow expiry management** (currently in private preview), if Microsoft has not learned from the allow, Microsoft will automatically extend the expiry time of allows, which are going to expire soon, by 30 days to prevent legitimate email from going to junk or quarantine again. - Customers in the government cloud environments will now be able to create allow and block entries for URLs and attachments in the Tenant Allow/Block List using the admin URL and email attachment submissions. The data submitted through the submissions experience will not leave the customer tenant, thus satisfying the data residency commitments for government cloud clients.
+- **Enhancement in URL click alerts:**
+ - With the new lookback scenario, the "A potentially malicious URL click was detected" alert will now include any clicks during the _past 48 hours_ (for emails) from the time the malicious URL verdict is identified.
## September 2022
For more information on what's new with other Microsoft Defender security produc
- Redirection is enabled by default and impacts all users of the Tenant. - Global Administrators and Security Administrators can turn on or off redirection in the Microsoft 365 Defender portal by navigating to **Settings** > **Email & collaboration** > **Portal redirection** and switch the redirection toggle. - **Built-in protection**: A profile that enables a base level of Safe Links and Safe Attachments protection that's on by default for all Defender for Office 365 customers. To learn more about this new policy and order of precedence, see [Preset security policies](preset-security-policies.md) and to learn about the specific Safe Links and Safe Attachment controls set, see [Safe Attachments settings](recommended-settings-for-eop-and-office365.md#safe-attachments-settings) and [Safe Links settings](recommended-settings-for-eop-and-office365.md#safe-links-settings).
+- **Bulk Complaint Level** is now available in the EmailEvents table in Advanced Hunting with numeric BCL values from 0 to 9. A higher BCL score indicates that bulk message is more likely to generate complaints and is more likely to be spam.
## July 2022