This article outlines the new configuration options and user features introduced to enable the post-delivery teachable moments flow. It also details the steps for existing customers to migrate to these new settings.
Post Delivery Settings
The post-delivery settings page is divided into the following sections:
- Teachable moments
- Dangerous emails
- Suspicious emails
- Threat tags
- Auto remediation
- Email productivity
Teachable Moments and Threat Tags
This section covers controls for teachable moment emails and Microsoft Outlook threat tags for different categories of emails.
Dangerous and Suspicious Emails
The configuration options for dangerous and suspicious emails include:
- Teachable Moment Email: Controls whether a teachable moment email should be sent when Defend analyzes an email as dangerous or suspicious. The options for this setting are Enabled or Disabled.
- Threat Tag: Controls whether a Microsoft Outlook category tag is added to an email if analysis detects a potentially dangerous or suspicious email. The options for this setting are Enabled or Disabled.
- For dangerous emails, a Dangerous tag is displayed.
- For suspicious emails, a Suspicious tag is displayed.
Threat Tags
Control which threat tags are added to emails if Defend detects an email that is categorised as a threat. For all threat tags, the available options are Enabled or Disabled. The following threat tags are available:
- First-time sender
- Financial topics
- Impersonation
- Sensitive topics
Auto Remediation
Auto remediation controls what happens to an email when Defend analyzes and classifies the email as dangerous or suspicious. The following options are available for dangerous and suspicious auto remediation:
- Select Disabled
- Move to the “_Suspicious” folder
- Move to the Junk folder
- Move to the “Deleted Items” folder
- Move to the “Recoverable Deleted Items” folder
- Move to the “Recoverable Purges” folder
- Send to Microsoft Set Verdict API with a verdict of “Phish”
- Send to Microsoft Set Verdict API with a verdict of “High Confidence Phish”
Email Productivity
Email productivity controls are comprised of graymail and spam management. Email productivity settings allow admins to control the level of disturbance users receive from graymail or spam emails.
Graymail
Graymail refers to non-malicious bulk emails sent from legitimate sources. Examples of graymail include newsletters, announcements, or advertisements that users may have previously opted in for. Defend can detect and action graymail with the following functionality:
- Adding a graymail threat tag
- Moving mail to a _Graymail folder
Spam Management
Spam is unsolicited bulk email, also known as junk email. It's any kind of unwanted and unsolicited digital communication that gets sent out in bulk. Spam is usually sent for commercial purposes and can be dangerous when it contains malicious links or attachments. Defend can detect and action spam emails with the following functionality:
- Adding a spam threat tag
- Moving mail classified as spam to the Junk folder
Abuse Mailbox
Defend will monitor your organization’s specified abuse mailbox to identify reports from users and automatically remediate malicious and persistent phishing threats. Event notifications can also be configured to notify admins when specific actions have occurred regarding the abuse mailbox, as well as provide a feedback loop to users, ensuring they understand they are helping keep your organization secure.
The following options can be configured for the abuse mailbox:
- Create an Abuse mailbox address
- Select whether emails classified as dangerous after reanalysis are automatically remediated
- Select which status notifications are sent to users
- Specify the email signature to be displayed at the bottom of the user notification emails
Operation Mode Settings
These settings define the configuration scope and determine which user mailboxes are protected by Defend for phishing analysis and user security features.
Scanning Scope
This setting determines which mailboxes are monitored post-delivery via the Microsoft Graph API. The available options are as follows:
- Disabled: Post delivery scanning is deactivated for all users.
- Microsoft Group: Microsoft Post delivery scanning is restricted to members of a specific Microsoft 365 group.
- Entire Tenancy: Post-delivery scanning is enabled for all licensed users across your organization
Group Email Address
This setting is only visible when Scanning Scope is set to Microsoft Group. Enter the email address of the target Microsoft 365 group that will have post-delivery scanning enabled.
User Experience
This section outlines all the new user-facing features added as part of the post-delivery teachable moments flow.
Outlook Category Tags
Defend supports multiple new post-delivery configuration options to control the application of Microsoft Outlook category tags to emails.
These provide a quick way to identify the Defend classification of an email before it is even opened by a user. Category tags can also be clicked to view all emails that have been categorized in the same category.
The following categories are available:
- First-time sender
- Dangerous
- Suspicious
- Impersonation
- Financial
- Sensitive
- Graymail
- Spam
Example category tags are shown in the screenshot below.
Threat Notification
Defend can send threat notification emails to help your users recognize phishing attempts. These emails arrive after Defend identifies an email as suspicious or dangerous. Threat Notifications replace the original suspicious or dangerous email with information about what Defend detected.
Threat notification emails contain the following information and options:
- Original email details
- Subject
- From address
- Sent time
- Sender location
- Sender relationship history
- Email Analysis Summary
- Details up to five reasons why Defend thought the email could be a phishing attack
- Report buttons
- Report the original email as “Phish”. This is only available for emails identified as suspicious
- Report the original email as “Not Phish”
An example threat notification email is shown in the screenshot below.