Updated July 5, 2024: We are evaluating the timeline for GCC customers at this time and will communicate via Message center when we are ready to proceed. Thank you for your patience.

Microsoft Defender for office 365 Services now allows the execution of several response actions simultaneously through the Take action wizard in Threat Explorer/ Realtime detection.

Many Security analyst teams use Threat explorer to execute bulk email remediation actions, and we’re enhancing this capability with an improved Take action feature. This feature facilitates a more streamlined and efficient remediation of threats.

With the new Take action wizard, you can perform multiple actions such as purging emails, inline submissions, triggering investigations, and Tenant level block actions together with a single wizard up to 100 messages. Moreover, you can take Tenant level block URL/file actions directly from Threat explorer.

Alternatively, if you want to perform bulk email remediation for more than 100, this new wizard will enable you to do that in an organized manner.

Some of the actions are not available based on the current location of the message, but if there is a conflict, the new experience gives more options and power through toggle. SecOps can use toggle choices to turn them on/off as desired and take proper action.

This message is associated with Microsoft 365 Roadmap ID 393937

[When this will happen:]

General Availability (Worldwide): Rollout began in mid-April 2024 and expect to complete by late June 2024.

General Availability (GCC): On-hold.

[How this will affect your organization:]

If you are part of the Security Operations team and use Microsoft defender for Office 365 email remediation features, the following are the enhancements for the email entity page and email summary panel:

• Step 1: Log into the Microsoft 365 Defender portal at https://security.microsoft.com 
• Step 2: Navigate to Threat Explorer / Real time detection and select the desired emails.
• Step 3: Click on Take action. Please note that previously, the drop-down menu was called Message actions.
• A new panel will open (e.g. figure1). Some actions may be unavailable based on the message’s latest delivery location.
• Step 4: Click on “I’ve confirmed as threat” to see a new panel and select multiple entities to block. You can also select multiple entities to block. Please note that “Tenant level allow and block” (TABL) actions are under Submissions. 
• STEP 5: Select target entities.
• STEP 6: Review and submit your actions.

The available actions in the Take action wizard in Threat Explorer (Defender for Office 365 Plan 2) and Real-time detections (Defender for Office 365 Plan 1) are listed in the following:

Action under Threat explorer 

• Move to mailbox folder. 
• Submit to Microsoft for review. 
• Allow or block entries in the Tenant Allow/Block List³ 
• Initiate automated investigation. 
• Propose remediation. 

Action under Real-time Detections

• Submit to Microsoft for review.
• Allow or block entries in the Tenant Allow/Block List³ 

¹ This action requires the Search and Purge role in email & collaboration permissions. By default, this role is assigned only to the Data Investigator and Organization Management role groups. You can add users to those role groups, or you can create a new role group with the Search and Purge role assigned and add the users to the custom role group.

[What you need to do to prepare:]

To perform email purge actions from the email entity page, you are required to have the Search and Purge role, as well as the necessary permissions within the Microsoft 365 Defender portal.

Additional References:

• Learn more here: https://learn.microsoft.com/en-us/defender-office-365/threat-explorer-threat-hunting#remediate-using-take-action.