MC794815: Microsoft Defender XDR: Enhancing email remediation with Sender's copy clean-up features

Announcement IDMC794815Published Date05-21-2024
ServiceMicrosoft365DefenderLast Updated08-15-2024
CategoryStay informedExpiration Date10-21-2024
Roadmap IDAction Required by Date
TagsAdmin impact, Feature update


Summary
                Microsoft Defender XDR is introducing Sender's copy clean-up features to enhance email remediation. This includes integration with Soft delete, wide support across platforms, and an undo capability. It applies to intra-organization and outbound emails, with a rollout expected from end of May to early September 2024. Admins will have improved management of Sent items with no action required before the rollout.


More Information

Coming soon to Microsoft Defender XDR: We will enhance email remediation capabilities with new Sender's copy clean-up features in Threat Explorer, email entity, Summary Panel, and Advanced hunting. These new features will streamline the process of managing Sent items, particularly for admins who use Soft delete and Move to inbox actions.

Key Features

  • Integration with Soft delete: Sender's copy clean-up will be incorporated as part of the Soft delete action.
  • Wide support: This action will be supported across various Defender XDR platforms including Threat Explorer, Take Action wizard from the email entity, Summary Panel, Advanced hunting, and through Microsoft Graph API.
  • Undo capability: An undo action will be available, allowing you to reverse the clean-up by moving items back to the Sent folder.

Note: Sender's copy clean-up will apply to intra-organization emails and outbound emails, ensuring that only the sender's copy is soft deleted for these emails and inbound messages are out of scope.

When this will happen:

General Availability (Worldwide): We will begin rolling out end of May 2024 and expect to complete by early September 2024 (previously late July).

How this will affect your organization:

Before this rollout, admins did not have a way to remove harmful emails from a sender's Sent items.

After rollout: This step-by-step scenario explains the functionality of Sender's copy clean-up:

You as the admin have already investigated in Threat Explorer, email entity, or Advanced hunting and have selected entities to remediate.

1. Create remediation: After your entity selection, you choose an action and create the remediation. For the Soft delete action, these items will be visible in the Take action wizard:

  • Checkbox for Sender's copy. Select this option to clean the messages from sender's Sent folder.
  • Email count: Displays the number of emails submitted. This count will reflect sender's copy as well.
  • Sender's entities in a separate tab.

2. As the remediation begins: the approval ID to track the action is displayed (Note: This is the same as before the rollout.)

3. Track the remediation status: The Unified Action Center (Actions & submissions > Action center > History) contains all the approved actions. You can open any manual remediation action entry in Action center to:

  • View the email count: This count will be same as submitted email count.
  • Review the action logs: The email count and action logs will reflect the status of remediable, non-remediable, failed, and timed-out emails, including the sender's copy.
  • Export action logs: The export feature will include the new column IsSendersCopy to capture the sender entities and corresponding action status.

4. Undo sent items: The undo capability ensures that you have greater control and flexibility when managing email remediation, providing a safety net for actions taken in error or needing revision. Select the checkbox for Move to Inbox to trigger undo for the recipient copy and previously deleted sender's copy of a message.

From Advanced hunting: The Delete sender's copy option under Delete email > Soft delete:

Advanced hunting

From Threat Explorer: The Delete sender's copy option under Move to mailbox folder > Soft delete:

Threat Explorer

From Threat Explorer: The Undo sender's copy option under Move to mailbox folder > Inbox:

Threat Explorer

What you need to do to prepare:

This rollout will happen automatically by the specified date with no admin action required before the rollout. You may want to notify your admins about this change and update any relevant documentation as appropriate.

Previous Post Next Post