check before: 2024-08-18
Product:
Defender, Defender for Office 365, Exchange
Platform:
Online, World tenant
Status:
Change type:
Admin impact, Retirement, Updated message, User impact
Links:
Details:
Summary:
Four legacy override alerts in Microsoft Defender for Office 365 will be retired in September 2024 due to redundancy from the Secure by default feature. Affected users with specific subscriptions will not need to take any action as this change will occur automatically.
Details:
Updated August 28, 2024: We have updated the rollout timeline and content below. Thank you for your patience.
Microsoft Defender for Office 365 is retiring four legacy override alerts that are now mostly redundant due to Secure by default. With Secure by default, ZAP (zero-hour auto purge) blocks high confidence phishing emails by default despite the legacy overrides. The four alerts are:
Phish not zapped because ZAP is disabled
Malware not zapped because ZAP is disabled
Phish delivered due to ETR override
Phish delivered due to IP allow
As part of the deprecation and rollout,
These policies will no longer be part of the Alert policies in the Microsoft Defender portal.
Existing alerts that are already generated will be in the system (part of Alerts) until data retention applies.
Any features like AIR built on these policies will not function (return no data) but will not result in any crashes or issues to the system.
Any features like Investigations or post-breach functionalities will not have these alerts as part of the selection, filtering, or processing.
When is the change?
We plan to turn off these alerts starting August 18, 2024 and ending September 15, 2024.
Who is impacted?
Phish not zapped because ZAP is disabled: E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription
Malware not zapped because ZAP is disabled: E5/G5 or Defender for Office 365 P2 add-on subscription
Phish delivered due to ETR override: E1/F1/G1, E3/F3/G3, or E5/G5
Phish delivered due to IP allow: E1/F1/G1, E3/F3/G3, or E5/G5
What should I do if I am impacted?
This change will happen automatically by the specified date. No admin action is required. Since these alerts are mostly redundant, we do not expect any impact. Defender XDR Customers using Defender for O365 as a secondary filter (MX record pointed to 3rd party service) and still want the alerts can create a custom detection rule on EmailEvents table with filters on OrgLevelAction & OrgLevelPolicy.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2024-07-20
updated:
2024-08-31
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
Direct effects for Operations**
Retirement of Legacy Alerts
The retirement of four legacy override alerts may lead to confusion among users who relied on these alerts for monitoring phishing and malware threats.
- roles: Security Administrator, IT Support
- references: https://learn.microsoft.com/defender-office-365/secure-by-default, https://learn.microsoft.com/defender-office-365/zero-hour-auto-purge
Loss of Custom Alert Functionality
Features built on the retired alerts will not function, potentially leading to gaps in threat detection and response capabilities.
- roles: Security Analyst, Compliance Officer
- references: https://learn.microsoft.com/defender-office-365/secure-by-default, https://learn.microsoft.com/defender-office-365/zero-hour-auto-purge
Impact on Investigations
Investigations and post-breach functionalities will lack the retired alerts, which may hinder the ability to filter and process relevant data during security incidents.
- roles: Incident Response Team, Security Analyst
- references: https://learn.microsoft.com/defender-office-365/secure-by-default, https://learn.microsoft.com/defender-office-365/zero-hour-auto-purge
User Experience with Phishing Alerts
Users may experience a false sense of security due to the automatic blocking of phishing emails without the visibility of alerts that were previously in place.
- roles: End User, IT Support
- references: https://learn.microsoft.com/defender-office-365/secure-by-default, https://learn.microsoft.com/defender-office-365/zero-hour-auto-purge
Potential Miscommunication
Lack of communication regarding the change may lead to misunderstandings about the security posture and alerting mechanisms in place.
- roles: Communications Officer, IT Manager
- references: https://learn.microsoft.com/defender-office-365/secure-by-default, https://learn.microsoft.com/defender-office-365/zero-hour-auto-purge
Configutation Options**
Disable Legacy Override Alerts
Disable the legacy override alerts that are being retired due to redundancy with Secure by default.
- technical instructions: No action required; alerts will be disabled automatically by Microsoft.
- references: https://learn.microsoft.com/defender-office-365/secure-by-default
Monitor Alert Policies
Monitor existing alert policies in the Microsoft Defender portal for any changes or updates.
- technical instructions: Navigate to the Microsoft Defender portal and review the Alert policies section.
- references: https://learn.microsoft.com/defender-office-365/alert-policies
Custom Detection Rules
Create custom detection rules for specific alerts if needed after the retirement of legacy alerts.
- technical instructions: Use the EmailEvents table to create a custom detection rule with filters on OrgLevelAction & OrgLevelPolicy.
- references: https://learn.microsoft.com/defender-office-365/custom-detection-rules
Understand Data Retention Policies
Familiarize yourself with data retention policies as existing alerts will remain until retention applies.
- technical instructions: Review the data retention settings in the Microsoft 365 compliance center.
- references: https://learn.microsoft.com/microsoft-365/compliance/data-retention
Impact Assessment for Defender XDR Customers
Assess the impact on Defender XDR customers using Defender for O365 as a secondary filter.
- technical instructions: Evaluate the configuration of MX records and adjust custom detection rules as necessary.
- references: https://learn.microsoft.com/defender-xdr/overview
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
** AI generated content. This information is not reliable.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
Date | Property | old | new |
2024-08-31 | MC Messages | Microsoft Defender for Office 365 is retiring four legacy override alerts that are now mostly redundant due to Secure by default. With Secure by default, ZAP (zero-hour auto purge) blocks high confidence phishing emails by default despite the legacy overrides. The four alerts are:
Phish not zapped because ZAP is disabled Malware not zapped because ZAP is disabled Phish delivered due to ETR override Phish delivered due to IP allow As part of the deprecation and rollout, These policies will no longer be part of the Alert policies in the Microsoft Defender portal. Existing alerts that are already generated will be in the system (part of Alerts) until data retention applies. Any features like AIR built on these policies will not function (return no data) but will not result in any crashes or issues to the system. Any features like Investigations or post-breach functionalities will not have these alerts as part of the selection, filtering, or processing. When is the change? We plan to turn off these alerts starting August 18, 2024 and ending August 30, 2024. Who is impacted? Phish not zapped because ZAP is disabled: E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription Malware not zapped because ZAP is disabled: E5/G5 or Defender for Office 365 P2 add-on subscription Phish delivered due to ETR override: E1/F1/G1, E3/F3/G3, or E5/G5 Phish delivered due to IP allow: E1/F1/G1, E3/F3/G3, or E5/G5 What should I do if I am impacted? This change will happen automatically by the specified date. No admin action is required. Since these alerts are mostly redundant, we do not expect any impact. | Updated August 28, 2024: We have updated the rollout timeline and content below. Thank you for your patience.
Microsoft Defender for Office 365 is retiring four legacy override alerts that are now mostly redundant due to Secure by default. With Secure by default, ZAP (zero-hour auto purge) blocks high confidence phishing emails by default despite the legacy overrides. The four alerts are: Phish not zapped because ZAP is disabled Malware not zapped because ZAP is disabled Phish delivered due to ETR override Phish delivered due to IP allow As part of the deprecation and rollout, These policies will no longer be part of the Alert policies in the Microsoft Defender portal. Existing alerts that are already generated will be in the system (part of Alerts) until data retention applies. Any features like AIR built on these policies will not function (return no data) but will not result in any crashes or issues to the system. Any features like Investigations or post-breach functionalities will not have these alerts as part of the selection, filtering, or processing. When is the change? We plan to turn off these alerts starting August 18, 2024 and ending September 15, 2024. Who is impacted? Phish not zapped because ZAP is disabled: E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription Malware not zapped because ZAP is disabled: E5/G5 or Defender for Office 365 P2 add-on subscription Phish delivered due to ETR override: E1/F1/G1, E3/F3/G3, or E5/G5 Phish delivered due to IP allow: E1/F1/G1, E3/F3/G3, or E5/G5 What should I do if I am impacted? This change will happen automatically by the specified date. No admin action is required. Since these alerts are mostly redundant, we do not expect any impact. Defender XDR Customers using Defender for O365 as a secondary filter (MX record pointed to 3rd party service) and still want the alerts can create a custom detection rule on EmailEvents table with filters on OrgLevelAction & OrgLevelPolicy. |
2024-08-31 | MC Title | Microsoft Defender for Office 365: Four override alerts retire in August 2024 | (Updated) Microsoft Defender for Office 365: Four override alerts retire in August 2024 |
2024-08-31 | MC Last Updated | 07/19/2024 18:51:46 | 2024-08-31T01:15:49Z |
2024-08-31 | MC MessageTagNames | User impact, Admin impact, Retirement | Updated message, User impact, Admin impact, Retirement |
2024-08-31 | MC Summary | Four legacy override alerts in Microsoft Defender for Office 365 will be retired in August 2024 due to redundancy from the Secure by default feature. Affected users with specific subscriptions will not need to take any action as this change will occur automatically. | Four legacy override alerts in Microsoft Defender for Office 365 will be retired in September 2024 due to redundancy from the Secure by default feature. Affected users with specific subscriptions will not need to take any action as this change will occur automatically. |
Last updated 1 month ago