MC822720 – (Updated) Microsoft Defender for Office 365: Four override alerts retire in August 2024

Microsoft Exchange Logo

check before: 2024-08-18

Product:

Defender, Defender for Office 365, Exchange

Platform:

Online, World tenant

Status:

Change type:

Admin impact, Retirement, Updated message, User impact

Links:

Details:

Summary:
Four legacy override alerts in Microsoft Defender for Office 365 will be retired in September 2024 due to redundancy from the Secure by default feature. Affected users with specific subscriptions will not need to take any action as this change will occur automatically.

Details:
Updated August 28, 2024: We have updated the rollout timeline and content below. Thank you for your patience.
Microsoft Defender for Office 365 is retiring four legacy override alerts that are now mostly redundant due to Secure by default. With Secure by default, ZAP (zero-hour auto purge) blocks high confidence phishing emails by default despite the legacy overrides. The four alerts are:
Phish not zapped because ZAP is disabled
Malware not zapped because ZAP is disabled
Phish delivered due to ETR override
Phish delivered due to IP allow
As part of the deprecation and rollout,
These policies will no longer be part of the Alert policies in the Microsoft Defender portal.
Existing alerts that are already generated will be in the system (part of Alerts) until data retention applies.
Any features like AIR built on these policies will not function (return no data) but will not result in any crashes or issues to the system.
Any features like Investigations or post-breach functionalities will not have these alerts as part of the selection, filtering, or processing.
When is the change?
We plan to turn off these alerts starting August 18, 2024 and ending September 15, 2024.
Who is impacted?
Phish not zapped because ZAP is disabled: E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription
Malware not zapped because ZAP is disabled: E5/G5 or Defender for Office 365 P2 add-on subscription
Phish delivered due to ETR override: E1/F1/G1, E3/F3/G3, or E5/G5
Phish delivered due to IP allow: E1/F1/G1, E3/F3/G3, or E5/G5
What should I do if I am impacted?
This change will happen automatically by the specified date. No admin action is required. Since these alerts are mostly redundant, we do not expect any impact. Defender XDR Customers using Defender for O365 as a secondary filter (MX record pointed to 3rd party service) and still want the alerts can create a custom detection rule on EmailEvents table with filters on OrgLevelAction & OrgLevelPolicy.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2024-07-20

updated:
2024-08-31

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

Direct effects for Operations**

Retirement of Legacy Alerts
The retirement of four legacy override alerts may lead to confusion among users who relied on these alerts for monitoring phishing and malware threats.
   - roles: Security Administrator, IT Support
   - references: https://learn.microsoft.com/defender-office-365/secure-by-default, https://learn.microsoft.com/defender-office-365/zero-hour-auto-purge

Loss of Custom Alert Functionality
Features built on the retired alerts will not function, potentially leading to gaps in threat detection and response capabilities.
   - roles: Security Analyst, Compliance Officer
   - references: https://learn.microsoft.com/defender-office-365/secure-by-default, https://learn.microsoft.com/defender-office-365/zero-hour-auto-purge

Impact on Investigations
Investigations and post-breach functionalities will lack the retired alerts, which may hinder the ability to filter and process relevant data during security incidents.
   - roles: Incident Response Team, Security Analyst
   - references: https://learn.microsoft.com/defender-office-365/secure-by-default, https://learn.microsoft.com/defender-office-365/zero-hour-auto-purge

User Experience with Phishing Alerts
Users may experience a false sense of security due to the automatic blocking of phishing emails without the visibility of alerts that were previously in place.
   - roles: End User, IT Support
   - references: https://learn.microsoft.com/defender-office-365/secure-by-default, https://learn.microsoft.com/defender-office-365/zero-hour-auto-purge

Potential Miscommunication
Lack of communication regarding the change may lead to misunderstandings about the security posture and alerting mechanisms in place.
   - roles: Communications Officer, IT Manager
   - references: https://learn.microsoft.com/defender-office-365/secure-by-default, https://learn.microsoft.com/defender-office-365/zero-hour-auto-purge

Configutation Options**

Disable Legacy Override Alerts
Disable the legacy override alerts that are being retired due to redundancy with Secure by default.
   - technical instructions: No action required; alerts will be disabled automatically by Microsoft.
   - references: https://learn.microsoft.com/defender-office-365/secure-by-default

Monitor Alert Policies
Monitor existing alert policies in the Microsoft Defender portal for any changes or updates.
   - technical instructions: Navigate to the Microsoft Defender portal and review the Alert policies section.
   - references: https://learn.microsoft.com/defender-office-365/alert-policies

Custom Detection Rules
Create custom detection rules for specific alerts if needed after the retirement of legacy alerts.
   - technical instructions: Use the EmailEvents table to create a custom detection rule with filters on OrgLevelAction & OrgLevelPolicy.
   - references: https://learn.microsoft.com/defender-office-365/custom-detection-rules

Understand Data Retention Policies
Familiarize yourself with data retention policies as existing alerts will remain until retention applies.
   - technical instructions: Review the data retention settings in the Microsoft 365 compliance center.
   - references: https://learn.microsoft.com/microsoft-365/compliance/data-retention

Impact Assessment for Defender XDR Customers
Assess the impact on Defender XDR customers using Defender for O365 as a secondary filter.
   - technical instructions: Evaluate the configuration of MX records and adjust custom detection rules as necessary.
   - references: https://learn.microsoft.com/defender-xdr/overview

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

** AI generated content. This information is not reliable.

a free basic plan is required to see more details. Sign up here


A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.



change history

DatePropertyoldnew
2024-08-31MC MessagesMicrosoft Defender for Office 365 is retiring four legacy override alerts that are now mostly redundant due to Secure by default. With Secure by default, ZAP (zero-hour auto purge) blocks high confidence phishing emails by default despite the legacy overrides. The four alerts are:
Phish not zapped because ZAP is disabled
Malware not zapped because ZAP is disabled
Phish delivered due to ETR override
Phish delivered due to IP allow
As part of the deprecation and rollout,
These policies will no longer be part of the Alert policies in the Microsoft Defender portal.
Existing alerts that are already generated will be in the system (part of Alerts) until data retention applies.
Any features like AIR built on these policies will not function (return no data) but will not result in any crashes or issues to the system.
Any features like Investigations or post-breach functionalities will not have these alerts as part of the selection, filtering, or processing.
When is the change?
We plan to turn off these alerts starting August 18, 2024 and ending August 30, 2024.
Who is impacted?
Phish not zapped because ZAP is disabled: E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription
Malware not zapped because ZAP is disabled: E5/G5 or Defender for Office 365 P2 add-on subscription
Phish delivered due to ETR override: E1/F1/G1, E3/F3/G3, or E5/G5
Phish delivered due to IP allow: E1/F1/G1, E3/F3/G3, or E5/G5
What should I do if I am impacted?
This change will happen automatically by the specified date. No admin action is required. Since these alerts are mostly redundant, we do not expect any impact.
Updated August 28, 2024: We have updated the rollout timeline and content below. Thank you for your patience.
Microsoft Defender for Office 365 is retiring four legacy override alerts that are now mostly redundant due to Secure by default. With Secure by default, ZAP (zero-hour auto purge) blocks high confidence phishing emails by default despite the legacy overrides. The four alerts are:
Phish not zapped because ZAP is disabled
Malware not zapped because ZAP is disabled
Phish delivered due to ETR override
Phish delivered due to IP allow
As part of the deprecation and rollout,
These policies will no longer be part of the Alert policies in the Microsoft Defender portal.
Existing alerts that are already generated will be in the system (part of Alerts) until data retention applies.
Any features like AIR built on these policies will not function (return no data) but will not result in any crashes or issues to the system.
Any features like Investigations or post-breach functionalities will not have these alerts as part of the selection, filtering, or processing.
When is the change?
We plan to turn off these alerts starting August 18, 2024 and ending September 15, 2024.
Who is impacted?
Phish not zapped because ZAP is disabled: E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription
Malware not zapped because ZAP is disabled: E5/G5 or Defender for Office 365 P2 add-on subscription
Phish delivered due to ETR override: E1/F1/G1, E3/F3/G3, or E5/G5
Phish delivered due to IP allow: E1/F1/G1, E3/F3/G3, or E5/G5
What should I do if I am impacted?
This change will happen automatically by the specified date. No admin action is required. Since these alerts are mostly redundant, we do not expect any impact. Defender XDR Customers using Defender for O365 as a secondary filter (MX record pointed to 3rd party service) and still want the alerts can create a custom detection rule on EmailEvents table with filters on OrgLevelAction & OrgLevelPolicy.
2024-08-31MC TitleMicrosoft Defender for Office 365: Four override alerts retire in August 2024(Updated) Microsoft Defender for Office 365: Four override alerts retire in August 2024
2024-08-31MC Last Updated07/19/2024 18:51:462024-08-31T01:15:49Z
2024-08-31MC MessageTagNamesUser impact, Admin impact, RetirementUpdated message, User impact, Admin impact, Retirement
2024-08-31MC SummaryFour legacy override alerts in Microsoft Defender for Office 365 will be retired in August 2024 due to redundancy from the Secure by default feature. Affected users with specific subscriptions will not need to take any action as this change will occur automatically.Four legacy override alerts in Microsoft Defender for Office 365 will be retired in September 2024 due to redundancy from the Secure by default feature. Affected users with specific subscriptions will not need to take any action as this change will occur automatically.

Last updated 1 month ago

Share to MS Teams

Login to your account

Welcome Back, We Missed You!