-For more information about the Get-MgUser command in the AzureAD module, see the reference article [Get-MgUser](/powershell/module/microsoft.graph.users/get-mguser).

-Password expiration requirements do more harm than good, because these requirements make users select predictable passwords, composed of sequential words and numbers that are closely related to each other. In these cases, the next password can be predicted based on the previous password. Password expiration requirements offer no containment benefits because cybercriminals almost always use credentials as soon as they compromise them.

-<!--Password length requirements (greater than about 10 characters) can result in user behavior that is predictable and undesirable. For example, users who are required to have a 16-character password may choose repeating patterns like **fourfourfourfour** or **passwordpassword** that meet the character length requirement but aren't hard to guess. Additionally, length requirements increase the chances that users will adopt other insecure practices, such as writing down their passwords, reusing them, or storing them unencrypted in their documents.-->

-To encourage users to think about a unique password, we recommend keeping a reasonable 14-character minimum length requirement.

-2. Choose **Data loss prevention** > **Policy**.

-3. Select a policy, and next to **Policy settings**, choose **Edit**.

-4. Either create a new rule, or edit an existing rule for the policy.

-5. On the **User notifications** tab, select **Customize the email text** and/or **Customize the policy tip text** options.

-6. Specify the text you want to use for email notifications and/or policy tips, and then choose **Save**.

-7. On the **Policy settings** tab, choose **Save**.

-2. Choose **Data loss prevention** > **Policy**.

-3. Select a policy, and look at the values under **Locations**. If you see **Teams chat and channel messages**, you're all set. If you don't, click **Edit**.

-4. In the **Status** column, turn on the policy for **Teams chat and channel messages**.

-5. On the **Choose locations** tab, keep the default setting of all accounts, or select **Let me choose specific locations**. You can specify:

- 1. Up to 1000 individual accounts to include or exclude

- 1. Distribution lists and security groups (mail enabled) to include or exclude.

- <!-- 1. the shared mailbox of a shared channel. **This is a public preview feature.**-->

-

-6. Then choose **Next**.

-7. Click **Save**.

-To perform this task, you must be assigned a role that has permissions to edit DLP policies. To learn more, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md).

-1. Go to the Compliance Center ([https://compliance.microsoft.com](https://compliance.microsoft.com)) and sign in.

-2. Choose **Data loss prevention** > **Policy** > **+ Create a policy**.

-3. Choose a [template](dlp-create-deploy-policy.md#create-and-deploy-data-loss-prevention-policies), and then choose **Next**.

- In our example, we chose the U.S. Personally Identifiable Information Data template.

-4. On the **Name your policy** tab, specify a name and description for the policy, and then choose **Next**.

-5. On the **Choose locations** tab, keep the default setting of all accounts, or select **Let me choose specific locations**. You can specify:

- 1. Up to 1000 individual accounts to include or exclude

- 1. Distribution lists and security groups to include or exclude. **This is a public preview feature.**

- <!-- 1. the shared mailbox of a shared channel. **This is a public preview feature.**-->

-

- > [!NOTE]

- > If you want to make sure documents that contain sensitive information are not shared inappropriately in Teams, make sure **SharePoint sites** and **OneDrive accounts** are turned on, along with **Teams chat and channel messages**.

-6. On the **Policy settings** tab, under **Customize the type of content you want to protect**, keep the default simple settings, or choose **Use advanced settings**, and then choose **Next**. If you choose advanced settings, you can create or edit rules for your policy. To get help with this, see [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md).

-7. On the **Policy settings** tab, under **What do you want to do if we detect sensitive info?**, review the settings. Here's where you can choose to keep default [policy tips and email notifications](use-notifications-and-policy-tips.md), or customize them.

- When you're finished reviewing or editing settings, choose **Next**.

-8. On the **Policy settings** tab, under **Do you want to turn on the policy or test things out first?**, choose whether to turn on the policy, [test it first](dlp-overview-plan-for-dlp.md#policy-deployment), or keep it turned off for now, and then choose **Next**.

-9. On the **Review your settings** tab, review the settings for your new policy. Choose **Edit** to make changes. When you're finished, choose **Create**.

-Allow approximately one hour for your new policy to work its way through your data center and sync to user accounts.

-You'll need to use the Azure Information Protection unified labeling client to protect documents with Double Key Encryption. Currently, you can't use Microsoft Office built-in sensitivity labeling.

-Deploying Double Key Encryption won't affect your existing HYOK setup. However, we recommend that you start using Double Key Encryption in parallel with HYOK.

-You can store Double Key Encrypted documents on-premises or in the cloud. In the cloud, you can move encrypted content to SharePoint Online and OneDrive for Business. Since Microsoft doesn't have access to your private key, the encrypted data remains opaque to Microsoft. This also means that you can't view the encrypted documents online in Office Web Apps.

-Double Key Encryption (DKE) uses two keys together to access protected content. Microsoft stores one key in Microsoft Azure, and you hold the other key. You maintain full control of one of your keys using the Double Key Encryption service. You apply protection using The Azure Information Protection unified labeling client to your highly sensitive content.

-Double Key Encryption is intended for your most sensitive data that is subject to the strictest protection requirements. DKE isn't intended for all data. In general, you'll be using Double Key Encryption to protect only a small part of your overall data. You should do due diligence in identifying the right data to cover with this solution before you deploy. In some cases, you might need to narrow your scope and use other solutions for most of your data, such as Microsoft Purview Information Protection with Microsoft-managed keys or BYOK. These solutions are sufficient for documents that aren't subject to enhanced protections and regulatory requirements. Also, these solutions enable you to use the most powerful Office 365 services; services that you can't use with DKE encrypted content. For example:

-DKE sensitivity labels are made available to end users through the sensitivity button in the AIP Unified Labeling client in Office Desktop Apps. Install these prerequisites on each client computer where you want to protect and consume protected documents.

-**Azure Information Protection Unified Labeling Client** versions 2.14.93.0 or later. Download and install the Unified Labeling client from the [Microsoft download center](https://www.microsoft.com/download/details.aspx?id=53018).

-**Outlook encryption only and do not forward scenarios**

-Configuring DKE for supported scenarios will create a warning in the label configuration experience. For encryption only and do not forward, these unsupported scenarios have no warning in the label configuration experience.

-1. [Enable DKE in your client](#enable-dke-in-your-client)

-### Enable DKE in your client

-If you're an Office Insider, DKE is enabled for you. Otherwise, enable DKE for your client by adding the following registry keys:

-```console

- [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\MSIPC\flighting]

- "DoubleKeyProtection"=dword:00000001

- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC\flighting]

- "DoubleKeyProtection"=dword:00000001

-```

- - Selected documents only: This option exports only the documents that are currently selected. This option is only available when items are selected in a review set.

- - All filtered documents: This option exports the documents in an active filter. This option is only available when a filter is applied to the review set.

- - All documents in the review set: This option exports all documents in the review set.

-

- - Reports only: Only the summary and load file are created.

- - Loose files and PSTs (email is added to PSTs when possible): Files are exported in a format that resembles the original directory structure seen by users in their native applications. For more information, see the [Loose files and PST export structure](#loose-files-and-pst-export-structure) section.

- - Condensed directory structure: Files are exported and included in the download.

- - Condensed directory structure exported to your Azure Storage account: Files are exported to your organization's Azure Storage account. For this option, you have to provide the URL for the container in your Azure Storage account to export the files to. You also have to provide the shared access signature (SAS) token for your Azure Storage account. For more information, see [Export documents in a review set to an Azure Storage account](download-export-jobs.md).

- - Tags: When selected, tagging information is included in the load file.

- - Text files: This option includes the extracted text versions of native files in the export.

- - Replace redacted natives with converted PDFs: If redacted PDF files are generated during review, these files are available for export. You can choose to export only the native files that were redacted (by not selecting this option) or you can select this option to export the PDF files that contain the actual redactions.

- - Export_load_file_x of z.csv: The metadata file.

- - Warnings and errors x of z.csv: This file includes information about errors encountered when trying to export from the review set.

- - Exchange: This folder contains all content from Exchange stored in PST files. Redacted PDF files can't be included with this option. If an attachment is selected in the review set, the parent email message will be exported with the attachment attached.

-

- The Exchange folder may also contain a subfolder named mailboxname_loosefiles.zip, which contains the following items:

- - Information Rights Management (IRM) protected messages that have been decoded.

- - Error-remediated messages.

- - Modern attachments or links referenced in messages.

- - Encrypted items (which aren't included in the PST files in the Exchange folder).

- - SharePoint: This folder contains all native content from SharePoint in a native file format. Redacted PDF files can't be included with this option.

- - Export_load_file_x of z.csv: The metadata file and also includes the location of each file that is stored in the ZIP file

- - Warnings and errors x of z.csv: This file includes information about errors encountered when trying to export from the review set.

- - NativeFiles: This folder contains all the native files that were exported. Natives files are replaced with redacted PDFs if you selected the *Replace redacted natives with converted PDFs* option.

- - Error_files: This folder contains files that had either extraction or other processing error. The files will be placed into separate folders, either ExtractionError or ProcessingError. These files are listed in the load file.

- - Extracted_text_files: This folder contains all of the extracted text files that were generated at processing.

-For more information about creating queries using the `SensitiveType` property, see [Form a query to find sensitive data stored on sites](form-a-query-to-find-sensitive-data-stored-on-sites.md).

-> This feature is currently supported only by the Azure Information Protection unified labeling client, and if you haven't enabled your tenant for co-authoring and AutoSave for encrypted document.

-Select this option only after you've configured the Double Key Encryption service and you need to use this double key encryption for files that will have this label applied. After the label is configured and saved, you won't be able to edit it.

-description: Use data loss prevention (DLP) in SharePoint Online to discover documents that contain sensitive data throughout your tenant.

-# Form a query to find sensitive data stored on sites

-Users often store sensitive data, such as credit card numbers, social security numbers, or personal, on their sites, and over time this can expose an organization to significant risk of data loss. Documents stored on sitesΓÇöincluding OneDrive for Business sitesΓÇöcould be shared with people outside the organization who shouldn't have access to the information. With Microsoft Purview Data Loss Prevention (DLP) in SharePoint Online, you can discover documents that contain sensitive data throughout your tenant. After discovering the documents, you can work with the document owners to protect the data. This topic can help you form a query to search for sensitive data.

-> [!NOTE]

-> Electronic discovery, or eDiscovery, and DLP are premium features that require [SharePoint Online Plan 2](https://go.microsoft.com/fwlink/?LinkId=510080).

-## Forming a basic DLP query

-There are three parts that make up a basic DLP query: SensitiveType, count range, and confidence range. As illustrated in the following graphic, **SensitiveType:"\<type\>"** is required, and both **|\<count range\>** and **|\<confidence range\>** are optional.

-

-### Sensitive type - required

-So what is each part? SharePoint DLP queries typically begin with the property `SensitiveType:"` and an information type name from the [sensitive information types inventory](/Exchange/what-the-sensitive-information-types-in-exchange-look-for-exchange-2013-help), and end with a `"`. You can also use the name of a [custom sensitive information type](create-a-custom-sensitive-information-type.md) that you created for your organization. For example, you might be looking for documents that contain credit card numbers. In such an instance, you'd use the following format: `SensitiveType:"Credit Card Number"`. Because you didn't include count range or confidence range, the query returns every document in which a credit card number is detected. This is the simplest query that you can run, and it returns the most results. Keep in mind that the spelling and spacing of the sensitive type matters.

-### Ranges - optional

-Both of the next two parts are ranges, so let's quickly examine what a range looks like. In SharePoint DLP queries, a basic range is represented by two numbers separated by two periods, which looks like this: `[number]..[number]`. For instance, if `10..20` is used, that range would capture numbers from 10 through 20. There are many different range combinations and several are covered in this topic.

-Let's add a count range to the query. You can use count range to define the number of occurrences of sensitive information a document needs to contain before it's included in the query results. For example, if you want your query to return only documents that contain exactly five credit card numbers, use this: `SensitiveType:"Credit Card Number|5"`. Count range can also help you identify documents that pose high degrees of risk. For example, your organization might consider documents with five or more credit card numbers a high risk. To find documents fitting this criterion, you would use this query: `SensitiveType:"Credit Card Number|5.."`. Alternatively, you can find documents with five or fewer credit card numbers by using this query: `SensitiveType:"Credit Card Number|..5"`.

-#### Confidence range

-Finally, confidence range is the level of confidence that the detected sensitive type is actually a match. The values for confidence range work similarly to count range. You can form a query without including a count range. For example, to search for documents with any number of credit card numbersΓÇöas long as the confidence range is 85 percent or higherΓÇöyou would use this query: `SensitiveType:"Credit Card Number|*|85.."`.

-> [!IMPORTANT]

-> The asterisk ( `*` ) is a wildcard character that means any value works. You can use the wildcard character ( `*` ) either in the count range or in the confidence range, but not in a sensitive type.

-### Additional query properties and search operators available in the eDiscovery Center

-DLP in SharePoint also introduces the LastSensitiveContentScan property, which can help you search for files scanned within a specific timeframe. For query examples with the `LastSensitiveContentScan` property, see the [Examples of complex queries](#examples-of-complex-queries) in the next section.

-You can use not only DLP-specific properties to create a query, but also standard SharePoint eDiscovery search properties such as `Author` or `FileExtension`. You can use operators to build complex queries. For the list of available properties and operators, see the [Using Search Properties and Operators with eDiscovery](/archive/blogs/quentin/using-search-properties-and-operators-with-ediscovery) blog post.

-## Examples of complex queries

-The following examples use different sensitive types, properties, and operators to illustrate how you can refine your queries to find exactly what you're looking for.

-<br>

-****

-|Query|Explanation|

-|||

-|`SensitiveType:"International Banking Account Number (IBAN)"`|The name might seem strange because it's so long, but it's the correct name for that sensitive type. Make sure to use exact names from the [sensitive information types inventory](/Exchange/what-the-sensitive-information-types-in-exchange-look-for-exchange-2013-help). You can also use the name of a [custom sensitive information type](create-a-custom-sensitive-information-type.md) that you created for your organization.|

-|`SensitiveType:"Credit Card Number|1..4294967295|1..100"`|This returns documents with at least one match to the sensitive type "Credit Card Number." The values for each range are the respective minimum and maximum values. A simpler way to write this query is `SensitiveType:"Credit Card Number"`, but where's the fun in that?|

-|`SensitiveType:"Credit Card Number|5..25" AND LastSensitiveContentScan:"8/11/2018..8/13/2018"`|This returns documents with 5-25 credit card numbers that were scanned from August 11, 2018 through August 13, 2018.|

-|`SensitiveType:"Credit Card Number|5..25" AND LastSensitiveContentScan:"8/11/2018..8/13/2018" NOT FileExtension:XLSX`|This returns documents with 5-25 credit card numbers that were scanned from August 11, 2018 through August 13, 2018. Files with an XLSX extension aren't included in the query results. `FileExtension` is one of many properties that you can include in a query. For more information, see [Using Search Properties and Operators with eDiscovery](/archive/blogs/quentin/using-search-properties-and-operators-with-ediscovery).|

-|`SensitiveType:"Credit Card Number" OR SensitiveType:"U.S. Social Security Number (SSN)"`|This returns documents that contain either a credit card number or a social security number.|

-|

-## Examples of queries to avoid

-Not all queries are created equal. The following table gives examples of queries that don't work with DLP in SharePoint and describes why.

-<br>

-****

-|Unsupported query|Reason|

-|||

-|`SensitiveType:"Credit Card Number|.."`|You must add at least one number.|

-|`SensitiveType:"NotARule"`|"NotARule" isn't a valid sensitive type name. Only names in the [sensitive information types inventory](/Exchange/what-the-sensitive-information-types-in-exchange-look-for-exchange-2013-help) work in DLP queries.|

-|`SensitiveType:"Credit Card Number|0"`|Zero isn't valid as either the minimum value or the maximum value in a range.|

-|`SensitiveType:"Credit Card Number"`|It's might be difficult to see, but there's extra white space between "Credit" and "Card" that makes the query invalid. Use exact sensitive type names from the [sensitive information types inventory](/Exchange/what-the-sensitive-information-types-in-exchange-look-for-exchange-2013-help).|

-|`SensitiveType:"Credit Card Number|1. .3"`|The two-period portion shouldn't be separated by a space.|

-|`SensitiveType:"Credit Card Number| |1..|80.."`|There are too many pipe delimiters (\|). Follow this format instead: `SensitiveType: "Credit Card Number|1..|80.."`|

-|`SensitiveType:"Credit Card Number|1..|80..101"`|Because confidence values represent a percentage, they can't exceed 100. Choose a number from 1 through 100 instead.|

-|

-## For more information

- - Additionally, you're not using [Double Key Encryption](double-key-encryption.md) in the same tenant

- For labels with either of these encryption configurations, the labels display in Office apps. However, when users select these labels and nobody else is editing the document, they're warned that co-authoring and AutoSave won't be available. If somebody else is editing the document, users see a message that the labels can't be applied.

-Sensitivity labels that apply [S/MIME protection](sensitivity-labels-office-apps.md#configure-a-label-to-apply-smime-protection-in-outlook) can't be used to protect calendar items, Teams meetings, and chat.

-If you later need to revert this configuration, change the value to 1 by selecting **Enabled**. You might also need to change enable this setting if the **Sensitivity** button isn't displayed on the ribbon as expected. For example, a previous administrator turned this labeling setting off.

-|

- - **Double Key Encryption**: If the highest priority label applies Double Key Encryption, no label or encryption is selected for the email message in Outlook for Windows.

-|Microsoft Endpoint Configuration Manager, Version 2103|Microsoft Endpoint Configuration Manager, Version 2211|

-> Please use a broadband internet connection to download this content and allow approximately 30 minutes for automatic provisioning. The lab environment requires a minimum of 16 GB of available memory and 150 GB of free disk space. For optimal performance, 32 GB of available memory and 300 GB of free space is recommended. The Windows client virtual machines expire 90 days after activation of the lab. New versions of the labs will be published on or before May 28, 2023.

-keywords: updates, security baselines, protection, schedule updates, force updates, mobile updates, wsus

-### February-2023 (Platform: 4.18.2302.7 | Engine: 1.1.20100.6)

-#### What's new

-#### Known Issues

-|Subscription requirements|One of these subscriptions: <ul><li>Microsoft 365 E5 or A5</li><li>Microsoft 365 E3 with the Microsoft 365 E5 Security add-on</li><li>Microsoft 365 E3 with the Enterprise Mobility + Security E5 add-on</li><li>Microsoft 365 A3 with the Microsoft 365 A5 Security add-on</li><li>Windows 10 Enterprise E5 or A5</li><li>Windows 11 Enterprise E5 or A5</li><li>Enterprise Mobility + Security (EMS) E5 or A5</li><li>Office 365 E5 or A5</li><li>Microsoft Defender for Endpoint</li><li>Microsoft Defender for Identity</li><li>Microsoft Defender for Cloud Apps</li><li>Defender for Office 365 (Plan 2)</li></ul> <p> See [Microsoft 365 Defender licensing requirements](./prerequisites.md#licensing-requirements).|

-For more general tips, see [prevent malware infection](/microsoft-365/security/defender-endpoint/prevent-malware-infection).

-|User|A user is sending malware/phish|Automated investigation doesn't result in a specific pending action. <p> The user might be reporting malware/phish, or someone could be [spoofing the user](anti-phishing-protection-spoofing-about.md) as part of an attack. Use [Threat Explorer](threat-explorer-about.md) to view and handle email containing [malware](threat-explorer-views.md#email--malware) or [phish](threat-explorer-views.md#email--phish).|

-In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, EOP assigns a bulk complaint level (BCL) to inbound messages from bulk mailers. The BCL is added to the message in an X-header and is similar to the [spam confidence level (SCL)](anti-spam-spam-confidence-level-scl-about.md) that's used to identify messages as spam. A higher BCL indicates a bulk message is more likely to generate complaints (and is therefore more likely to be spam). Microsoft uses both internal and third party sources to identify bulk mail and determine the appropriate BCL.

-Bulk mailers vary in their sending patterns, content creation, and recipient acquisition practices. Good bulk mailers send desired messages with relevant content to their subscribers. These messages generate few complaints from recipients. Other bulk mailers send unsolicited messages that closely resemble spam and generate many complaints from recipients. Messages from a bulk mailer are known as bulk mail or gray mail.

- Spam filtering marks messages as **Bulk email** based on the BCL threshold (the default value or a value you specify) and takes the specified action on the message (the default action is deliver the message to the recipient's Junk Email folder). For more information, see [Configure anti-spam policies](anti-spam-policies-configure.md) and [What's the difference between junk email and bulk email?](anti-spam-spam-vs-bulk-about.md)

-|4, 5, 6, 7^\*|The message is from a bulk sender that generates a mixed number of complaints.|

-^\* This is the default threshold value that's used in anti-spam policies.

-In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, inbound messages go through spam filtering in EOP and are assigned a spam score. That score is mapped to an individual spam confidence level (SCL) that's added to the message in an X-header. A higher SCL indicates a message is more likely to be spam. EOP takes action on the message based on the SCL.

-What the SCL means and the default actions that are taken on messages are described in the following table. For more information about actions you can take on messages based on the spam filtering verdict, see [Configure anti-spam policies in EOP](anti-spam-policies-configure.md).

-|-1|The message skipped spam filtering. For example, the message is from a safe sender, was sent to a safe recipient, or is from an email source server on the IP Allow List. For more information, see [Create safe sender lists in EOP](create-safe-sender-lists-in-office-365.md).|Deliver the message to the recipients' inbox.|

-|0, 1|Spam filtering determined the message wasn't spam.|Deliver the message to the recipients' inbox.|

-|5, 6|Spam filtering marked the message as **Spam**|Deliver the message to the recipients' Junk Email folder.|

-|8, 9|Spam filtering marked the message as **High confidence spam**|Deliver the message to the recipients' Junk Email folder.|

-You'll notice that SCL 2, 3, 4, and 7 aren't used by spam filtering.

-Similar to the SCL, the bulk complaint level (BCL) identifies bad bulk email (also known as _gray mail_). A higher BCL indicates a bulk mail message is more likely to generate complaints (and is therefore more likely to be spam). You configure the BCL threshold in anti-spam policies. For more information, see [Configure anti-spam policies in EOP](anti-spam-policies-configure.md), [Bulk complaint level (BCL) in EOP)](anti-spam-bulk-complaint-level-bcl-about.md), and [What's the difference between junk email and bulk email?](anti-spam-spam-vs-bulk-about.md).

- **New to Microsoft 365?** Discover free video courses for **Microsoft 365 admins and IT pros**, brought to you by LinkedIn Learning.

-In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, customers sometimes ask: "what's the difference between junk email and bulk email?" This topic explains the difference and describes the controls that are available in EOP.

- - You can configure the actions to take on spam filtering verdicts. For instructions, see [Configure anti-spam policies in EOP](anti-spam-policies-configure.md).

- - If you disagree with the spam filtering verdict, you can report messages that you consider to be spam or non-spam to Microsoft in several ways, as described in [Report messages and files to Microsoft](submissions-report-messages-files-to-microsoft.md).

-Anti-spam polices have a default BCL threshold that's used to identify bulk email as spam. Admins can increase or decrease the threshold. For more information, see the following topics:

-Another option that's easy to overlook: if a user complains about receiving bulk email, but the messages are from reputable senders that pass spam filtering in EOP, have the user check for a unsubscribe option in the bulk email message.

-In September 2022, Microsoft Defender for Office 365 Plan 2 customers can access BCL from [advanced hunting](/microsoft-365/security/defender/advanced-hunting-overview). This feature allows admins to look at all bulk senders who sent mail to their organization, along with the corresponding BCL values and the email volume received. You can drill down into the bulk senders by using other columns in **EmailEvents** table in the **Email & collaboration** schema. For more information, see [EmailEvents](/microsoft-365/security/defender/advanced-hunting-emailevents-table).

-For example, if Contoso has set their current bulk threshold to 7 in anti-spam policies, Contoso recipients will receive email from all senders with BCL \< 7 in their Inbox. Admins can run the following query to get a list of all bulk senders in the organization:

-This query allows admins to identify wanted and unwanted senders. If a bulk sender has a BCL score that doesn't meet the bulk threshold, admins can [submit the sender's messages to Microsoft for analysis](tenant-allow-block-list-email-spoof-configure.md#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-domains-and-email-addresses-on-the-submissions-page), which adds the sender as an allow entry in the Tenant Allow/Block List.

-1. In the Threat protection status report, select **View data by Email \> Spam**. To go directly to the report, open one of the following URLs:

- - EOP: <https://security.microsoft.com/reports/TPSAggregateReport>

- - Defender for Office 365: <https://security.microsoft.com/reports/TPSAggregateReportATP>

-2. Filter for Bulk email, select an email to investigate and click on email entity to learn more about the sender. Email entity is available only for Defender for Office 365 Plan 2 customers.

-3. Once you have identified wanted and unwanted senders, adjust the bulk threshold to your desired level. If there are bulk senders with BCL score that doesn't fit within your bulk threshold, [submit the messages to Microsoft for analysis](tenant-allow-block-list-email-spoof-configure.md#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-domains-and-email-addresses-on-the-submissions-page), which adds the sender as an allow entry in the Tenant Allow/Block List.

-Campaigns in the Microsoft 365 Defender portal identifies and categorizes coordinated email attacks, including phishing and malware. Microsoft's management of email attacks into discrete campaigns will help you to:

-Campaigns lets you see the big picture of an email attack faster and more complete than any human.

-Watch this short video on how campaigns in Microsoft Defender for Office 365 help you understand coordinated email attacks targeting your organization.

-A campaign is a coordinated email attack against one or many organizations. Email attacks that steal credentials and company data are a large and lucrative industry. As technologies increase in an effort to stop attacks, attackers modify their methods in an effort to ensure continued success.

-Microsoft leverages the vast amounts of anti-phishing, anti-spam, and anti-malware data across the entire service to help identify campaigns. We analyze and classify the attack information according to several factors. For example:

-A campaign might be short-lived, or could span several days, weeks, or months with active and inactive periods. A campaign might be launched against your specific organization, or your organization might be part of a larger campaign across multiple companies.

-## Campaigns in the Microsoft 365 Defender portal

-Campaigns is available in the Microsoft 365 Defender portal at <https://security.microsoft.com> at **Email & collaboration** \> **Campaigns**. Or, to go directly to the **Campaigns** page, use <https://security.microsoft.com/campaigns>.

-You can also view Campaigns from:

-## Required licenses and permissions

-## Campaigns overview

-The main Campaigns page is a threat report with all campaigns targeting your organizations.

-On the default **Campaign** tab, the **Campaign type** area shows a bar graph that shows the number of recipients per day. By default, the graph shows both **Phish** and **Malware** data.

-> [!TIP]

-> If you don't see any campaign data, or very limited data, try changing the date range or [filters](#filters-and-settings).

-The table below the graph on the overview page shows the following information on the **Campaign** tab:

- - **Phish**: Where available, the brand that is being phished by this campaign. For example, `Microsoft`, `365`, `Unknown`, `Outlook`, or `DocuSign`.

- - **Malware**: For example, `HTML/PHISH` or `HTML/<MalwareFamilyName>`.

- Where available, the brand that is being phished by this campaign. When the detection is driven by Defender for Office 365 technology, the prefix **ATP-** is added to the subtype value.

- Note that **Click rate** isn't used in malware campaigns.

-The **Campaign origin** tab shows the message sources on a map of the world.

-### Filters and settings

-At the top of the **Campaign** page, there are several filter and query settings to help you find and isolate specific campaigns.

-The most basic filtering that you can do is the start date/time and the end date/time.

-To further filter the view, you can do single property with multiple values filtering by clicking the **Campaign type** button, making your selection, and then clicking **Refresh**.

-The filterable campaign properties that are available in the **Campaign type** button are described in the following list:

- - **Campaign type**: Select **Malware** or **Phish**. Clearing the selections has the same result as selecting both.

- - **Campaign name**

- - **Campaign subtype**

- - **Sender**

- - **Recipients**

- - **Sender domain**

- - **Subject**

- - **Attachment filename**

- - **Malware family**

- - **Tags**: Users or groups that have had the specified user tag applied (including priority accounts). For more information about user tags, see [User tags](user-tags-about.md).

- - **Delivery action**

- - **Additional action**

- - **Directionality**

- - **Detection technology**

- - **Original delivery location**

- - **Latest delivery location**

- - **System overrides**

- - **URL domain**

- - **URL domain and path**

- - **URL**

- - **URL path**

- - **Click verdict**

-For more advanced filtering, including filtering by multiple properties, you can click the **Advanced filter** button to build a query. The same campaign properties are available, but with the following enhancements:

-When you're finished, click the **Query** button.

-After you create a basic or advanced filter, you can save it by using **Save query** or **Save query as**. Later, when you return to the **Campaigns** page, you can load a saved filter by clicking **Saved query settings**.

-To export the graph or the list of campaigns, click **Export** and select **Export chart data** or **Export campaign list**.

-If you have a Microsoft Defender for Endpoint subscription, you can click **MDE Settings** to connect or disconnect the campaigns information with Microsoft Defender for Endpoint. For more information, see [Integrate Microsoft Defender for Office 365 with Microsoft Defender for Endpoint](integrate-office-365-ti-with-mde.md).

-When you click on the name of a campaign, the campaign details appear in a flyout.

-At the top of the campaign details view, the following campaign information is available:

-In the middle of the campaign details view, important details about the campaign are presented in a horizontal flow diagram (known as a _Sankey_ diagram). These details will help you to understand the elements of the campaign and the potential impact in your organization.

-If you hover over a horizontal band in the diagram, you'll see the number of related messages (for example, messages from a particular source IP, messages from the source IP using the specified sender domain, etc.).

- |**Tenant Allow**^\*|`SFV:SKA`|The message skipped spam filtering because of the settings in an anti-spam policy. For example, the sender was in the allowed sender list or allowed domain list.|

- |**Tenant Block**^\*\*|`SFV:SKA`|The message was blocked by spam filtering because of the settings in an anti-spam policy. For example, the sender was in the allowed sender list or allowed domain list.|

- |**User Allow**^\*|`SFV:SFE`|The message skipped spam filtering because the sender was in a user's Safe Senders list.|

- |**User Block**^\*\*|`SFV:BLK`|The message was blocked by spam filtering because the sender was in a user's Blocked Senders list.|

- ^\* Review your anti-spam policies, because the allowed message would have likely been blocked by the service.

- ^\*\* Review your anti-spam policies, because these messages should be quarantined, not delivered.

-When a phishing message is delivered to a recipient's Inbox or Junk Email folder, there's always a chance that the user will click on the payload URL. Not clicking on the URL is a small measure of success, but you need to determine why the phishing message was even delivered to the mailbox.

-If a user clicked on the payload URL in the phishing message, the actions are displayed in the **URL clicks** area of the diagram in the campaign details view.

-The tabs in the campaign details view allow you to further investigate the campaign.

-> The information that's displayed on the tabs is controlled by the date range filter in the timeline as described in [Campaign information](#campaign-information) section.

- - **Sender**: This is the actual sender address in the SMTP MAIL FROM command, which is not necessarily the From: email address that users see in their email clients.

-^\* Clicking on this value opens a new flyout that contains more details about the specified item (user, URL, etc.) on top of the campaign details view. To return to the campaign details view, click **Done** in the new flyout.

-### Additional Actions

-The buttons at the bottom the campaign details view allows you to investigate and record details about the campaign:

- **New to Microsoft 365?** Discover free video courses for **Microsoft 365 admins and IT pros**, brought to you by LinkedIn Learning.

-To see malware detected in email sorted by Microsoft 365 technology, use the [**Email \> Malware**](threat-explorer-views.md#email--malware) view of Explorer (or Real-time detections). Malware is the default view, so it might be selected as soon as you open Explorer.

- From here, start at the View, choose a particular frame of time to investigate (if needed), and focus your filters, as per the [Explorer walk- through](threat-explorer-threat-hunting.md#threat-explorer-walk-through).

-2. In the **View** drop down list, verify that **Email** \> **Malware** is selected.

-3. Click **Sender**, and then choose **Basic** \> **Detection technology** in the drop down list.

- :::image type="content" source="../../media/exploreremailmalwaredetectiontech-newimg.png" alt-text="The malware detection technology" lightbox="../../media/exploreremailmalwaredetectiontech-newimg.png":::

- :::image type="content" source="../../media/exploreremailmalwaredetectiontech2-new.png" alt-text="selected detection technology" lightbox="../../media/exploreremailmalwaredetectiontech2-new.png":::

-1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Explorer**, and then, in the **View** drop down list, verify that **Phish** is selected.

-3. Click **Actions** to expand the list of options.

- > [!div class="mx-imgBorder"]

- > :::image type="content" source="../../media/report-clean-option-explorer.png" alt-text="The Report clean option in the Explorer" lightbox="../../media/report-clean-option-explorer.png":::

-5. Toggle the slider to **On**. From the drop down list, specify the number of days you want the message to be removed, add a note if needed, and then select **Submit**.

-You can view phishing attempts through URLs in email, including a list of URLs that were allowed, blocked, and overridden. To identify URLs that were clicked, [Safe Links](safe-links-about.md) must be configured. Make sure that you set up [Safe Links policies](safe-links-policies-configure.md) for time-of-click protection and logging of click verdicts by Safe Links.

-2. In the **View** drop down list, choose **Email** \> **Phish**.

- > [!div class="mx-imgBorder"]

- > :::image type="content" source="../../media/ExplorerViewEmailPhishMenu.png" alt-text="The View menu for Explorer in phishing context" lightbox="../../media/ExplorerViewEmailPhishMenu.png":::

-3. Click **Sender**, and then choose **URLs** \> **Click verdict** in the drop down list.

- :::image type="content" source="../../media/threatexploreremailphishclickverdict-new.png" alt-text="The URLs and click verdicts" lightbox="../../media/threatexploreremailphishclickverdict-new.png":::

- - **Top URLs** are the URLs in the messages that you filtered down to and the email delivery action counts for each URL. In the Phish email view, this list typically contains legitimate URLs. Attackers include a mix of good and bad URLs in their messages to try to get them delivered, but they make the malicious links look more interesting. The table of URLs is sorted by total email count, but this column is hidden to simplify the view.

- - **Top clicks** are the Safe Links-wrapped URLs that were clicked, sorted by total click count. This column also isn't displayed, to simplify the view. Total counts by column indicate the Safe Links click verdict count for each clicked URL. In the Phish email view, these are usually suspicious or malicious URLs. But the view could include URLs that aren't threats but are in phish messages. URL clicks on unwrapped links don't show up here.

- > [!div class="mx-imgBorder"]

- > :::image type="content" source="../../media/ExplorerPhishClickVerdictURLs.png" alt-text="The Explorer URLs that were blocked" lightbox="../../media/ExplorerPhishClickVerdictURLs.png":::

- Select a URL to view more detailed information.

-3. Custom policies based on the priority of the policy (a lower number indicates a higher priority).

-4. The Built-in protection preset security policy for Safe Links and Safe Attachments; the default policies for anti-malware, anti-spam, and anti-phishing.

-In other words, the settings of the Strict preset security policy override the settings of the Standard preset security policy, which overrides the settings from any custom policies, which override the settings of the Built-in protection preset security policy for Safe Links and Safe Attachments, and the default policies for anti-spam, anti-malware, and anti-phishing.

-|[Increase sign-in security for priority accounts](#increase-sign-in-security-for-priority-accounts)||||

-|[Use Strict preset security policies for priority accounts](#use-strict-preset-security-policies-for-priority-accounts)||||

-|[Apply user tags to priority accounts](#apply-user-tags-to-priority-accounts)||||

-|[Monitor priority accounts in alerts, reports, and detections](#monitor-priority-accounts-in-alerts-reports-and-detections)||||

-|[Train users](#train-users)||||

-# Explorer and Real-time detections

-This article explains the difference between Explorer and real-time detections reporting, updated experience with Explorer and real-time detections where you can toggle between old and new experiences, and the licenses and permissions that are required.

- > [!div class="mx-imgBorder"]

- > 

- > [!div class="mx-imgBorder"]

- > 

- > [!div class="mx-imgBorder"]

- > 

- > [!div class="mx-imgBorder"]

- > 

- - Security Administrator (this can be assigned in the Azure Active Directory admin center (<https://aad.portal.azure.com>)

-> - You should also add all possible URLs that are used in phishing simulation messages in **Simulation URLs to allow**. These URL entries prevent the URLS from being treated as real threats at time of click: the URLs aren't blocked or detonated, and no URL click alerts or resulting incidents are generated.

- - **Simulation URLs to allow**: Expand this setting and enter specific URLs that are part of your phishing simulation campaign that shouldn't be blocked or detonated by clicking in the box, entering a value, and then pressing the ENTER key or selecting the value that's displayed below the box. You can add up to 30 entries. For the URL syntax, see [URL syntax for the Tenant Allow/Block List](tenant-allow-block-list-urls-configure.md#url-syntax-for-the-tenant-allowblock-list). These URLs are wrapped at the time of click, but they aren't blocked.

- To remove an existing value, select remove :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the value.

-3. Optionally, identity the phishing simulation URLs that should be allowed (that is, not blocked or scanned).

-In Microsoft 365 organizations with Exchange Online mailboxes and Microsoft Defender for Office 365, admins can send templated messages back to end users after an admin has reviewed the reported messages. You can customize the templates for your organization and for the admin verdict.

-You will only be able to mark and notify users of review results if the message was reported as a [false positives or false negatives](submissions-outlook-report-messages.md).

- - Organization Management or Security Administrator in the [Microsoft 365 Defender portal](mdo-portal-permissions.md).

- - Organization Management in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups).

-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to the **Submissions** page at **Email & collaboration** \> **Submissions** \> **User reported** tab. To go directly to the **User reported** tab, use <https://security.microsoft.com/reportsubmission?viewid=user>.

- > [!div class="mx-imgBorder"]

- > :::image type="content" source="../../media/admin-review-send-message-from-portal.png" alt-text="The page displaying the user-reported messages" lightbox="../../media/admin-review-send-message-from-portal.png":::

-The reported message will be marked as **No threats found**, **Phishing**, or **Spam**, and an email will be automatically sent to notify the user who reported the message.

-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to the **User reported** page at **Settings** \> **Email & collaboration** \> **User reported** tab. To go directly to the **User reported** page, use <https://security.microsoft.com/securitysettings/userSubmission>.

-2. On the **User reported** page, verify that the toggle at the top of the page is  **On**.

- - **Replace the Microsoft logo with my company logo**: Select this option to replace the default Microsoft logo that's used in notifications. Before you do this step, you need to follow the instructions in [Customize the Microsoft 365 theme for your organization](../../admin/setup/customize-your-organization-theme.md) to upload your custom logo. This option is not supported if your organization has a custom logo pointing to a URL instead of an uploaded image file.

- - **Customize email notification messages**: Click this link to customize the email notification that's sent after an admin reviews and marks a reported message. In the **Customize admin review email notifications** flyout that appears, configure the following settings on the **Phishing**, **Junk** and **No threats found** tabs:

- When you're finished on the **Customize admin review email notifications** flyout, click **Confirm**.

- > [!div class="mx-imgBorder"]

- > :::image type="content" source="../../media/admin-review-customize-message.png" alt-text="The Customize confirmation message page" lightbox="../../media/admin-review-customize-message.png":::

-4. When you're finished, click **Save**. To clear these values, click **Restore** on the **User reported** page.

-# Threat Explorer and Real-time detections

-If your organization has [Microsoft Defender for Office 365](defender-for-office-365.md), and you have the [necessary permissions](#required-licenses-and-permissions), you have either **Explorer** or **Real-time detections** (formerly *Real-time reports* ΓÇö [see what's new](#new-features-in-threat-explorer-and-real-time-detections)!).

-Explorer or Real-time detections helps your security operations team investigate and respond to threats efficiently. With this report, you can:

-## Improvements to Threat Hunting Experience

-> :::image type="content" source="../../media/AlertID-Filter.png" alt-text="The Filtering for Alert ID" lightbox="../../media/AlertID-Filter.png":::

-> :::image type="content" source="../../media/tags-grid.png" alt-text="The Filter tags in email grid view" lightbox="../../media/tags-grid.png":::

-> :::image type="content" source="../../media/tags-filter-not.png" alt-text="The tags that are not filtered" lightbox="../../media/tags-filter-not.png":::

-> :::image type="content" source="../../media/tags-flyout.png" alt-text="The Email Details tags" lightbox="../../media/tags-flyout.png":::

-> :::image type="content" source="../../media/tags-urls.png" alt-text="The URL tags" lightbox="../../media/tags-urls.png":::

-## Improvements to the threat hunting experience (upcoming)

-> :::image type="content" source="../../media/URL_Threats.png" alt-text="The URL threats" lightbox="../../media/URL_Threats.png":::

-> :::image type="content" source="../../media/Email_Timeline.png" alt-text="The updated Timeline View" lightbox="../../media/Email_Timeline.png":::

-> :::image type="content" source="../../media/Updated_Delivery_Location.png" alt-text="The updated delivery locations" lightbox="../../media/Updated_Delivery_Location.png":::

-> :::image type="content" source="../../media/Updated_Timeline_Delivery_Location.png" alt-text="The delivery locations for timeline" lightbox="../../media/Updated_Timeline_Delivery_Location.png":::

-> :::image type="content" source="../../media/Additional_Actions.png" alt-text="The additional actions in Explorer" lightbox="../../media/Additional_Actions.png":::

-> :::image type="content" source="../../media/System_Overrides_Grid.png" alt-text="The System Overrides Grid in Explorer" lightbox="../../media/System_Overrides_Grid.png":::

-> :::image type="content" source="../../media/threat-explorer-tags.png" alt-text="The Tags column in Explorer" lightbox="../../media/threat-explorer-tags.png":::

-> :::image type="content" source="../../media/TimezoneImprovements.png" alt-text="The View time zone in Explorer" lightbox="../../media/TimezoneImprovements.png":::

-> :::image type="content" source="../../media/ManualRefresh.png" alt-text="The Refresh button to filter results" lightbox="../../media/ManualRefresh.png":::

-> :::image type="content" source="../../media/ChartDrilldown.png" alt-text="The Drill down through charts to Filter" lightbox="../../media/ChartDrilldown.png":::

-> :::image type="content" source="../../media/ProductInfo.png" alt-text="The in-product information to be viewed" lightbox="../../media/ProductInfo.png":::

-> :::image type="content" source="../../media/Top_Targeted_Users.png" alt-text="The top-targeted users" lightbox="../../media/Top_Targeted_Users.png":::

-> > :::image type="content" source="../../media/ETR_Details.png" alt-text="The Exchange transport rules" lightbox="../../media/ETR_Details.png":::

-> :::image type="content" source="../../media/Connector_Details.png" alt-text="The Connector details" lightbox="../../media/Connector_Details.png":::

-2. In the View menu, choose Email > Phish.

- :::image type="content" source="../../media/threat-ex-views-impersonated-user-image.png" alt-text="The Threat Explorer details pane for a protected user showing the detection location, and the threat that was detected (here phish impersonation of a user)" lightbox="../../media/threat-ex-views-impersonated-user-image.png":::

-**Explorer** \> **View Phish** \> **Clicks** \> **Top URLs** or **URL Top Clicks** \> select any record to open the URL flyout.

-**Explorer** \> **Real-time detections** \> **View Phish** \> **URLs** \> **Top URLs** or **Top Clicks** \> Select any record to open the URL flyout \> navigate to the **Clicks** tab.

-> :::image type="content" source="../../media/tp_ExportClickResultAndNetworkID.png" alt-text="The Clicks tab in Explorer" lightbox="../../media/tp_ExportClickResultAndNetworkID.png":::

-Suppose you want to see malware detected in email sorted by Microsoft 365 technology. To do this, use the [Email > Malware](threat-explorer-views.md#email--malware) view of Explorer (or Real-time detections).

-2. In the **View** menu, choose **Email** \> **Malware**.

- > :::image type="content" source="../../media/ExplorerViewEmailMalwareMenu.png" alt-text="The View menu for Explorer" lightbox="../../media/ExplorerViewEmailMalwareMenu.png":::

- > :::image type="content" source="../../media/ExplorerEmailMalwareDetectionTech.png" alt-text="The Malware detection technologies" lightbox="../../media/ExplorerEmailMalwareDetectionTech.png":::

- > :::image type="content" source="../../media/ExplorerEmailMalwareDetectionTechATP.png" alt-text="The selected detection technology" lightbox="../../media/ExplorerEmailMalwareDetectionTechATP.png":::

-To review phish URLs in messages and clicks on URLs in phish messages, use the [**Email** > **Phish**](threat-explorer-views.md#email--phish) view of Explorer or Real-time detections.

- > :::image type="content" source="../../media/ExplorerViewEmailPhishMenu.png" alt-text="The View menu for Explorer in phishing context" lightbox="../../media/ExplorerViewEmailPhishMenu.png":::

-Suppose that you want to see email messages that users in your organization reported as *Junk*, *Not Junk*, or *Phishing* through the [Microsoft Report Message or Report Phishing add-ins](submissions-users-report-message-add-in-configure.md), use the [**Email** \> **Submissions**](threat-explorer-views.md#email--submissions) view of Explorer (or Real-time detections).

-## Improvements to threat hunting experience

-### Alert ID

-When navigating from an alert into Threat Explorer, the **View** will be filtered by **Alert ID**. This also applies in Real-time detection. Messages relevant to the specific alert, and an email total (a count) are shown. You will be able to see if a message was part of an alert, as well as navigate from that message to the related alert.

-Finally, alert ID is included in the URL, for example: `https://https://security.microsoft.com/viewalerts`

-### Extending Explorer (and Real-time detections) data retention and search limit for trial tenants

-As part of this change, analysts will be able to search for, and filter email data across 30 days (increased from seven days) in Threat Explorer and Real-time detections for both Defender for Office P1 and P2 trial tenants. This doesn't impact any production tenants for both P1 and P2 E5 customers, where the retention default is already 30 days.

-### Updated Export limit

-The number of Emails records that can be exported from Threat Explorer is now 200,000 (was 9990). The set of columns that can be exported is unchanged.

-### Tags in Threat Explorer

-> [!NOTE]

-> The user tags feature is in Preview and may not be available to everyone. Also, Previews are subject to change. For information about the release schedule, check out the Microsoft 365 roadmap.

-User tags identify specific groups of users in Microsoft Defender for Office 365. For more information about tags, including licensing and configuration, see [User tags](user-tags-about.md).

-In Threat Explorer, you can see information about user tags in the following experiences.

-#### Email grid view

-When analysts look at the **Tags** column the email grid, they are seeing all tags that have been applied to sender or recipient mailboxes. By default, system tags like *priority accounts* are shown first.

-#### Filtering

-Tags can be used as filters. Hunt among priority accounts only, or use specific user tags scenarios this way. You can also exclude results that have certain tags. Combine Tags with other filters and date ranges to narrow your scope of investigation.

-#### Email detail flyout

-To view the individual tags for sender and recipient, select an email to open the message details flyout. On the **Summary** tab, the sender and recipient tags are shown separately. The information about individual tags for sender and recipient can be exported as CSV data.

-Tags information is also shown in the URL clicks flyout. To see it, go to Phish or All Email view > **URLs** or **URL Clicks** tab. Select an individual URL flyout to see additional details about clicks for that URL, including any Tags associated with that click.

-### Updated Timeline View

-Learn more by watching [this video](https://www.youtube.com/watch?v=UoVzN0lYbfY&list=PL3ZTgFEc7LystRja2GnDeUFqk44k7-KXf&index=4).

-## Extended capabilities

-### Top targeted users

-Top Malware Families shows the **top targeted users** in the Malware section. Top targeted users will be extended through Phish and All Email views too. Analysts will be able to see the top-five targeted users, along with the number of attempts for each user in each view.

-Security operations people be able to export the list of targeted users, up to a limit of 3,000, along with the number of attempts made, for offline analysis for each email view. Also, selecting the number of attempts (for example, 13 attempts in the image below) will open a filtered view in Threat Explorer, so you can see more details across emails, and threats for that user.

-### Exchange transport rules

-The security operations team will be able to see all the Exchange transport rules (or Mail flow rules) applied to a message, in the Email grid view. Select **Column options** in the grid and then **Add Exchange Transport Rule** from the column options. The Exchange transport rules option is also visible on the **Details** flyout in the email.

-Names and GUIDs of the transport rules applied to the message appear. Analysts will be able to search for messages by using the name of the transport rule. This is a CONTAINS search, which means you can do partial searches as well.

-> [!IMPORTANT]

-> Exchange transport rule search and name availability depend on the specific role assigned to you. You need to have one of the following roles or permissions to view the transport rule names and search. However, even without the roles or permissions below, an analyst may see the transport rule label and GUID information in the Email Details. Other record-viewing experiences in Email Grids, Email flyouts, Filters, and Export are not affected.

->

-> - Exchange Online Only - data loss prevention: All

-> - Exchange Online Only - O365SupportViewConfig: All

-> - Microsoft Azure Active Directory or Exchange Online - Security Admin: All

-> - Azure Active Directory or Exchange Online - Security Reader: All

-> - Exchange Online Only - Transport Rules: All

-> - Exchange Online Only - View-Only Configuration: All

->

-> Within the email grid, Details flyout, and Exported CSV, the ETRs are presented with a Name/GUID as shown below.

->

-> :::image type="content" source="../../media/ETR_Details.png" alt-text="The rules in Exchange Transport" lightbox="../../media/ETR_Details.png":::

-### Inbound connectors

-Connectors are a collection of instructions that customize how your email flows to and from your Microsoft 365 or Office 365 organization. They enable you to apply any security restrictions or controls. In Threat Explorer, you can view the connectors that are related to an email and search for emails using connector names.

-The search for connectors is a CONTAINS query, which means partial keyword searches can work:

-Use the **View** menu to change what information is displayed. Tooltips help you determine which view to use.

-Once you have selected a view, you can apply filters and set up queries to conduct further analysis. The following sections provide a brief overview of the various views available in Explorer (or real-time detections).

-## Email > Malware

-To view this report, in Explorer (or real-time detections), choose **View** \> **Email** \> **Malware**. This view shows information about email messages that were identified as containing malware.

-Click **Sender** to open your list of viewing options. Use this list to view data by sender, recipients, sender domain, subject, detection technology, protection status, and more.

-For example, to see what actions were taken on detected email messages, choose **Protection status** in the list. Select an option, and then click the Refresh button to apply that filter to your report.

-Below the chart, view more details about specific messages. When you select an item in the list, a fly-out pane opens, where you can learn more about the item you selected.

-## Email > Phish

-To view this report, in Explorer (or real-time detections), choose **View** \> **Email** \> **Phish**. This view shows email messages identified as phishing attempts.

-Click **Sender** to open your list of viewing options. Use this list to view data by sender, recipients, sender domain, sender IP, URL domain, click verdict, and more.

-For example, to see what actions were taken when people clicked on URLs that were identified as phishing attempts, choose **Click verdict** in the list, select one or more options, and then click the Refresh button.

-Below the chart, view more details about specific messages, URL clicks, URLs, and email origin.

-When you select an item in the list, such as a URL that was detected, a fly-out pane opens, where you can learn more about the item you selected.

-## Email > Submissions

-To view this report, in Explorer (or real-time detections), choose **View** \> **Email** \> **Submissions**. This view shows email that users have reported as junk, not junk, or phishing email.

-Click **Sender** to open your list of viewing options. Use this list to view information by sender, recipients, report type (the user's determination that the email was junk, not junk, or phish), and more.

-For example, to view information about email messages that were reported as phishing attempts, click **Sender** \> **Report type**, select **Phish**, and then click the Refresh button.

-

-Below the chart, view more details about specific email messages, such as subject line, the sender's IP address, the user that reported the message as junk, not junk, or phish, and more.

-Select an item in the list to view additional details.

-## Email > All email

-To view this report, in Explorer, choose **View** \> **Email** \> **All mail**. This view shows an all-up view of email activity, including email identified as malicious due to phishing or malware, as well all non-malicious mail (normal email, spam, and bulk mail).

-> [!NOTE]

-> If you get an error that reads **Too much data to display**, add a filter and, if necessary, narrow the date range you're viewing.

-To apply a filter, choose **Sender**, select an item in the list, and then click the Refresh button. In our example, we used **Detection technology** as a filter (there are several options available). View information by sender, sender's domain, recipients, subject, attachment filename, malware family, protection status (actions taken by your threat protection features and policies in Office 365), detection technology (how the malware was detected), and more.

-Below the chart, view more details about specific email messages, such as subject line, recipient, sender, status, and so on.

-## Content > Malware

-To view this report, in Explorer (or real-time detections), choose **View** \> **Content** \> **Malware**. This view shows files that were identified as malicious by [Microsoft Defender for Office 365 in SharePoint Online, OneDrive for Business, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md).

-View information by malware family, detection technology (how the malware was detected), and workload (OneDrive, SharePoint, or Teams).

-## Click-to-filter capabilities

-With Explorer (and real-time detections), you can apply a filter in a click. Click an item in the legend, and that item becomes a filter for the report. For example, clicking **ATP Detonation** in this chart results in a view like this:

-In this view, we are now looking at data for files that were detonated by [Safe Attachments](safe-attachments-about.md). Below the chart, we can see details about specific email messages that had attachments that were detected by Safe Attachments.

-Selecting one or more items activates the **Actions** menu, which offers several choices from which to choose for the selected item(s).

-The ability to filter in a click and navigate to specific details can save you a lot of time in investigating threats.

-Explorer (as well as the real-time detections report) has several powerful filters and querying capabilities that enable you to drill into details, such as top targeted users, top malware families, detection technology and more. Each kind of report offers a variety of ways to view and explore data.

-description: Set up Microsoft Syntex.

-This article covers the initial setup experience for Microsoft Syntex. Before following the steps in this article, configure your [billing and licensing options](syntex-licensing.md) as follows:

-As an admin, you can also make changes to your selected settings anytime after setup, and throughout the content understanding management settings in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>.

-1. On the **Use content AI with Microsoft Syntex** page, select **Set up Microsoft Syntex** to walk through the setup process. <br/>

-1. On the **Configure AI Builder model creation** page, you can choose if you want to let end users create and train models that use AI Builder and apply them to document libraries. A menu option will be available in the document library ribbon in SharePoint document libraries in which it is enabled.

-

- For **Which SharePoint sites should show the option to create structured and freeform document processing models**, you can select:</br>

- - **All SharePoint sites** to make it available to all SharePoint libraries in your organization.</br>

- - **Libraries in selected SharePoint sites**, and then select the sites in which you want to make it available or upload a list of up to 50 sites.</br>

- - **No SharePoint libraries** if you don't want to make it available to any sites (you can change this after setup).

- > [!Note]

- > Removing a site after it has been included does not affect existing models applied to the libraries in that site or the ability to apply unstructured document processing models to a library.

- If you want to enable model creation in all content center sites, select the **Enable AI Builder model creation in all content center sites** check box under **Libraries in selected SharePoint sites**.

- If you have multiple Power Platform environments configured, you can choose which one you want to use with for document processing. (This option will not appear if you only have one environment.)

- For **Power Platform environment**, you can select:

- - **Use the default environment** to use your default Power Platform environment.

- - **Use a custom environment** to use a custom environment. Choose the environment that you want to use from the list. ([See the requirements for a custom environment](/microsoft-365/contentunderstanding/set-up-content-understanding#requirements).)

- Select **Next**.

-1. On the **Create a content center** page, you can create a SharePoint content center site where your users can create and manage unstructured document processing models. If you previously created a content center from the SharePoint admin center, that information will display here and you can just select **Next**.

- 1. For **Content center name**, type the name you want to give your content center site.

-

- 1. The **Site address** will show the URL for your site, based on what you selected for the site name. If you want to change it, select **Edit**.

- Select **Next**.

-1. On the **Review and finish** page, you can look at your selected setting and choose to make changes. If you are satisfied with your selections, select **Activate**.

-1. On the confirmation page, select **Done**.

-1. You'll be returned to your **Use content AI with Microsoft Syntex** page. From this page, you can select **Manage Microsoft Syntex** to make any changes to your configuration settings.

-|Image tagging |The number of images processed. Each processed image counts as one transaction. You wonΓÇÖt be charged if you only enable pay-as-you-go billing for image tagging. You will be charged only when you enable image tagging on a [document library](image-tagging.md#to-enable-image-tagging-in-a-library). |$0.001/image