+> [!NOTE]

+> This app is not supported in regulated or restricted environments.

+description: "Learn how to interpret charges, billing, and payment info on your Microsoft 365 for business bill or invoice."

+Your bill or invoice provides a summary of charges for your subscription and includes instructions for how to make a payment.

+> If you have other subscriptions instead of or in addition to Microsoft 365, see [Understand your bill or invoice](understand-your-invoice.md).

+## How often and when am I billed?

+Depending on the billing frequency you chose when you bought your subscription, you receive an invoice either monthly or annually. If you chose annual billing, you only receive one invoice a year, unless activity for your subscription adds a new charge or a credit.

+The amount of time since the last invoice date is called the *Billing Period* and is on page one of the invoice. This time represents the date range during which charges accrue for the current invoice. If you made a change to your subscription outside of this date range, like adding or removing licenses, the associated charges appear on the invoice for the next billing period.

+Starting on page two of the invoice, you see the charges grouped by their *Service Period*. The service period is the date range during which you're charged to use the service.

+At the end of each billing period, you receive an email that says your new invoice is ready to view or download in the Microsoft 365 admin center. If you have more than one order, you receive an invoice for each order. Learn how to [find and view your bill or invoice](view-your-bill-or-invoice.md).

+## Why is my total due different from last month?

+The amount billed for your subscription reflects the license price multiplied by the number of licenses purchased and any required taxes or fees.

+If the amount billed is different than expected, that can happen for few reasons:

+- You added or removed licenses from your subscription. Licenses changed mid-term are reflected on the next invoice. You might see a credit and rebill for the previous service period to account for this change. For details about what this looks like in your invoice, see [Page two](#page-two) below.

+- The subscription was canceled. You receive an invoice after cancellation with any outstanding balance minus any credits.

+- Your subscription renewed for a new term and the license price changed.

+## Overview of the invoice .PDF

+Your invoice is a .PDF that contains at least two pages. [Page one](#page-one) is the billing summary, and contains general information about the invoice, order, amount due, and payment instructions, if applicable.

+[Page two](#page-two) contains details about the billing activity for each subscription during the service period.

+## Header

+The header appears at the top of every invoice page, and includes the month of service, and the **Invoice Date**, which is the date Microsoft created the invoice. The invoice is created the day after the end of your billing period. For example, if your billing period is January 15ΓÇöFebruary 14, your invoice date is February 15.

+The header also includes an **Invoice Number**, the unique number assigned to your invoice. If you pay by Electronic Funds Transfer (EFT) or check, include the invoice number with your payment.

+Finally, the header includes the **Due Date** for payment of the invoice, and shows the total amount due. If you pay for your subscription with a credit card or bank account, we charge your card or account the day after the invoice date.

+## Footer

+The footer appears at the bottom of every invoice page and includes Microsoft business center address. Based on your country or region, it might include other information like the phone number to call for billing or technical support, a link to online self-help articles, and the address and tax ID for Microsoft in your country or region.

+## Page one

+Page one of your invoice contains address information for your organization, high-level details about your order, a summary of invoice totals, and instructions about how to pay your invoice.

+### Addresses

+Three addresses appear at the top of the first page. The **Sold-To** address is the name and address of the organization that bought the subscription. The **Bill-To** address is the address of your billing department. **Service Usage Address** is the address where the service is used. Usually, these addresses are the same. Depending on the size and configuration of your organization, these addresses might be different.

+To update the **Sold-To** address, see [Change your organization's address, technical contact, and more](../../admin/manage/change-address-contact-and-more.md)**. To update your Bill-To** or **Service Usage Address**, see [Change your billing addresses](change-your-billing-addresses.md).

+#### Order Details

+On page one of your invoice, the **Product** is "Online Services,ΓÇ¥ the generic term we use to describe your subscription. Page two lists the individual products in your order.

+**Customer PO Number** is the purchase order (PO) number that you specify. You can't add a PO number to an existing invoice. If you update the PO number, itΓÇÖs included in future invoices. To change the PO number, see [Change your purchase order number](#change-your-purchase-order-number).

+**Order Number** is the globally unique identifier (GUID) that identifies your order. Every time you buy a new subscription, a new order with a new order number is created. You receive an invoice for each order every billing period.

+**Billing Period** is the period since the last invoice date.

+**Payment Terms** is the number of days from the invoice date when payment is due. The standard payment term is 30 days.

+**Due Date** is the date when the invoice payment is due. If your subscription is paid with a credit card or bank account, we charge your card or account the day after the Invoice Date.

+### Billing Summary

+Page one of your invoice shows the totals of the following items for the invoice billing period. Page two contains details for each category.

+- Charges

+- Discounts

+- Credits

+- Tax

+- Total

+### Payment Instructions

+If you pay by credit card, you see "Please DO NOT PAY. You will be charged the amount due through your selected method of payment." If you pay by invoice, this section contains instructions for paying by EFT or check.

+### Electronic Fund Transfer (EFT) and check

+If you chose ΓÇ£invoiceΓÇ¥ as your subscription payment method, page one contains the **Electronic Funds Transfer** section that shows the Microsoft bank account information for electronic payments (wire, ACH, SEPA, and so on). Usually, your bank has a reference field you complete when you send a payment. Make sure you reference the invoice number in that field.

+If we accept payments by check for your country or region, you also see a **Check** section that contains the payee name and mailing address. Make sure you reference your invoice number on the check.

+### Support

+In some countries or regions, the invoice has a **Support** section that includes instructions on how to view past invoices in the Microsoft 365 admin center. It also includes a link to self-help articles, and for some countries and regions, the support phone number.

+## Page two

+The product name for your subscription is at the top of page two. Below it is the formula that explains how the charges are calculated. If you have more than one product in your order, you see a separate section for each product and the associated charges.

+### New charges

+The **New charges** section shows the service period during which charges, discounts, credits, and taxes were added. It shows the number of licenses included during the service period, the price per license, and the number of days in the service period.

+### Previous charges

+The **Previous charges** section shows a credit for charges you paid for the previous invoice. If you made a change during the previous billing period, your invoice includes the **Previous charges** section. For example, if you added or removed licenses mid-term, the **Previous charges** section shows the number of licenses for that service period, together with the monthly price per license, the number of days in the service period, the charges, and other amounts that apply.

+### Charges during this billing period

+The **Charges during this billing period** section shows changes to your subscription made during this billing period. If you made a change during the previous billing period, your invoice also includes the **Changes during this billing period** section. For example, if you added or removed licenses mid-term, the **Charges during this billing period** section lists the changes to the subscription and when they occurred. The charges or refunds owed to you because of those changes are prorated for the number of days affected during the billing period.

+1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.

+2. On the **Products** tab, select the subscription that you want to change.

+3. On the subscription details page, in the **Subscription and payment settings** section, select **Edit invoice**.

+4. At the bottom of the **Edit details for paying by invoice** pane, enter your PO number, and then select **Save**.

+## Run the Unknown Charge Diagnostic

+As a Microsoft 365 Global admin, you can use a diagnostic tool that runs within the Microsoft 365 admin center to research unexpected charges from Microsoft that appear on your bank or credit card statement.

+> [!NOTE]

+> The Unknown Charge Diagnostic is only available for customers who bought their products and services from Microsoft.com, including Microsoft 365 Enterprise, Education, and Non-profit.

+Select the **Run Tests** link below to open the diagnostic tool in the Microsoft 365 admin center.

+>[!div class="nextstepaction"]

+>[Run Tests: Unknown Charge](https://aka.ms/PillarUnknownCharge)

+[View your bill or invoice](view-your-bill-or-invoice.md) (article)\

+[Manage payment methods](manage-payment-methods.md) (article)\

+[Billing information for Microsoft 365 for business in Mexico](mexico-billing-info.md) (article) \

+If you do not see the **Remove roles** option, contact the [Partner Center](https://partner.microsoft.com/support).

+- Search for auto-expanded archiving is available in Outlook for the web (OWA). Similar to Online Archive, you can search for items that were moved to an additional storage area. When archive is selected as the search scope in OWA, all archives (including auto-expanded archives) and their corresponding subfolders will be searched. Note that search is not supported for the auto-expanded archive feature in a cloud-only archive situation (primary mailbox still on-premises).

+- Auto-expanded archive search is available in Outlook for Windows in Monthly Enterprise Channel. With this update the Current Mailbox scope is available, thus allowing you to search the auto-expanded archive. Note that search is not supported for the auto-expanded archive feature in a cloud-only archive situation (primary mailbox still on-premises). For more information about this and other Microsoft Search support features, see [How Outlook for Windows connected to Exchange Online utilizes Microsoft Search](https://techcommunity.microsoft.com/t5/outlook-global-customer-service/how-outlook-for-windows-connected-to-exchange-online-utilizes/ba-p/1715045).

+If you're ready to enable auto-expanding archiving, see [Enable auto-expanding archiving](enable-autoexpanding-archiving.md).

+Select the extracted attachment text to view the details in the *Source* and *Plain text* views. After reviewing, you can resolve or take action on the attachment text using the command bar controls. You also have the option to download the attachment for review outside of the communication compliance review process.

+- **Improved message views**: Investigation and remediation actions are now quicker with new message source and text views. Message attachments are now viewable to provide complete context when taking remediation actions.

+- **Document review**: During the investigation of an issue, you can use several views of the message to help properly evaluate the detected issue. The views include a conversation summary, text-only, and detail views of the communication conversation.

+If the labels don't appear after seven days, check the **Status** of the label policy by selecting it from the **Label policies** page in the compliance center. If you see **(Error)** included in the status and in the details for the locations see a message that it's taking longer than expected to deploy the policy or to try redeploying the policy, try running the [Set-AppRetentionCompliancePolicy](/powershell/module/exchange/set-appretentioncompliancepolicy) or [Set-RetentionCompliancePolicy](/powershell/module/exchange/set-retentioncompliancepolicy) PowerShell command to retry the policy distribution:

+First, the retention policy needs to be distributed to the locations that you selected, and then applied to content. You can always check the distribution status of the retention policy by selecting it from the **Retention policies** page in the compliance center. From the flyout pane, if you see **(Error)** included in the status, and in the details for the locations see a message that it's taking longer than expected to deploy the policy or to try redeploying the policy, try running the [Set-AppRetentionCompliancePolicy](/powershell/module/exchange/set-appretentioncompliancepolicy) or [Set-RetentionCompliancePolicy](/powershell/module/exchange/set-retentioncompliancepolicy) PowerShell command to retry the policy distribution:

+

+ Within a specified group that's supported for this option, each [user will be individually authenticated](/azure/information-protection/prepare#azure-information-protection-requirements-for-user-accounts) by the Azure Information Protection service before they can open the encrypted content.

+Need to share your labeled and encrypted documents with people outside your organization? See [Sharing encrypted documents with external users](sensitivity-labels-office-apps.md#sharing-encrypted-documents-with-external-users).

+|[Audit label-related user activity](#auditing-labeling-activities) | Current Channel: 2011+ <br /><br> Monthly Enterprise Channel: 2011+ <br /><br> Semi-Annual Enterprise Channel: 2108+ | 16.43+ | 2.46+ | 16.0.13628+ | Yes |

+Client computers need a DNS A or AAAA record that includes one or more IP address(es) to connect to a cloud service. Some URLs included in Office 365 show CNAME records instead of A or AAAA records. These CNAME records are intermediary and there may be several in a chain. They will always eventually resolve to an A or AAAA record for an IP Address. For example, consider the following series of DNS records, which ultimately resolves to the IP address _IP_1_:

+#### [Find malware detection names for Microsoft Defender for Endpoint](find-defender-malware-name.md)

+ Title: Find malware detection names for Microsoft Defender for Endpoint

+description: How to find the names for the latest malware detections in Defender for Endpoint

+keywords: Microsoft malware family names

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+MS.technology: mde

+# Find malware detection names for Microsoft Defender for Endpoint

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)

+It might be confusing to understand how Defender for Endpoint detects specific malware families. This is because malware naming schemes vary depending on who is first to report it, how it's referred to in the media, and how some companies use specific naming conventions.

+Microsoft is part of the [Microsoft Virus Information Alliance (VIA)](/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md) program. This effort is a public collaboration program to help fight cybercrime. Microsoft names specific malware according to the [Computer Antivirus Research Organization (CARO)](/windows/security/threat-protection/intelligence/malware-naming.md). For example, Microsoft detects the Sunburst cyberattack as **Trojan:MSIL/Solorigate.BR!dha**.

+To understand how Microsoft Defender for Endpoint detects specific malware families, you can follow the process outlined below.

+## Find the detection name for a malware family

+To find the detection name of a malware family, you'll need to search the internet for the malware name plus "hash".

+1. Get the name of the malware family

+2. Search the web for *malware family* + **cyberattack + hash** to find the hash

+3. Look up the hash in [Virus Total](https://www.virustotal.com/)

+4. Find the Microsoft row and how we name the malware

+5. Look up the malware name in the [Microsoft Defender Security Intelligence website] (https://www.microsoft.com/en-us/wdsi/threats). You should see Microsoft information and guidance specific to that malware.

+For example, search for the "Sunburst cyberattack hash". One of the websites returned in the search results should have the hash. In this example, the hash is **a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc**. Then, look up this hash in [Virus Total](https://www.virustotal.com/).

+You'll find the Microsoft row detects this malware as **Trojan:MSIL/Solorigate.BR!dha**. Searching in the Microsoft Defender Security Intelligence website, you'll find information specific to that malware, including techincal details and mitigation steps.

+ > 

+ > 

+ > 

+ > 

+Admins can't add allows directly to the Tenant Allow/Block List. Instead, you use the admin submission process to submit the message that were blocked so the corresponding URL, file, and/or senders will be added to the Tenant Allow/Block List. If a block of the file, URL, or sender has not happened, then the allow will not be created. In most cases where the message was determined to be a false positive that was incorrectly blocked, the allows are kept for as long as needed to give the system time to allow them naturally.

+> 

+ >

+ > Safe Links supports only HTTP(S) and FTP formats.

+- A domain-only-URL (for example `contoso.com` or `tailspintoys.com`) will block any URL that contains the domain.

+- The following clients don't recognize the **Do not rewrite the following URLs** lists in Safe Links policies. Users included in the policies can be blocked from accessing the URLs based on the results of Safe Links scanning in these clients:

+Previously, the ability for users to manage quarantined messages sent to a shared mailbox required admins to leave automapping enabled for the shared mailbox (it's enabled by default when an admin gives a user access to another mailbox). However, depending on the size and number of mailboxes that the user has access to, performance can suffer as Outlooks tries to open _all_ mailboxes that the user has access to. For this reason, many admins choose to [remove automapping for shared mailboxes](/outlook/troubleshoot/profiles-and-accounts/remove-automapping-for-shared-mailbox).

+- **Good mail**: Email that's determined not to be spam or are allowed by user or organizational policies.

+- **Malware**: Email that's blocked as malware by various filters.

+- **Phishing email**: Email that's blocked as phishing by various filters.

+- **Spam**: Email that's blocked as spam by various filters.

+- **Edge protection**: Email that's rejected at the edge/perimeter before being evaluated by EOP or Defender for Office 365.

+- **Rule messages**: Email messages that were acted upon by mail flow rules (also known as transport rules).