Microsoft Launches Auto-Remediation for Email Threats in Defender for Office 365

Microsoft has announced the general availability of its auto-remediation feature within Defender for Office 365 that launched in preview in May. This new feature allows organizations to tackle email threats faster and with less manual intervention.

Automated investigation and response (AIR) is a security feature that helps organizations quickly detect, analyze, and respond to email-based threats by using automated playbooks. When a suspicious activity or alert is triggered, AIR automatically investigates the incident, assesses its impact across users and mailboxes, and takes appropriate action. This streamlines threat response, reduces manual workload for security teams, and enhances protection against cyberthreats.

Benefits of auto-remediation for organizations

According to Microsoft, any remediation actions by Automated Investigation and Response (AIR) (such as deleting a malicious message or blocking a sender) require approval from the security operations teams by default. The latest update allows administrators to configure AIR to automatically execute remediations for messages within malicious entity clusters.

This new feature is designed to expedite the remediation of more threats to enhance customer protection. It also helps security teams save time by reducing the need for manual approval.

“When AIR recognizes a malicious file or URL, it creates a cluster around the malicious file or URL grouping all messages that contain that file or URL into the respective cluster. The automated investigation then checks the location of the messages within the cluster and if it finds messages within user’s mailboxes, AIR will produce a remediation action,” Microsoft explained.

With the auto-remediation feature, organizations can now configure the cluster type to “auto-remediate,” which automatically takes action (such as deleting or quarantining emails) without needing approval from the security operations (SecOps) team. This feature allows threats to be quickly remediated and significantly reduces response time.

How to enable automated remediation in Microsoft Defender for Office 365

Microsoft says that IT admins will need to select the cluster types to automatically remediate by following the steps listed below:

• Sign in to the Microsoft Defender portal, navigate to Settings > Email & collaboration > MDO automation settings.
• In the message clusters section, choose the types of message clusters for automatic remediation.
• Select the action to take on message cluster types specified in the Message clusters section. Currently, Soft delete is the only available action.
• Finally, click “Save” on the Automation settings page.

Microsoft Defender for Office 365 gives users multiple ways to monitor and review the automatic remediation actions taken by the system. These actions can be viewed in areas like the investigation details, Action Center, email entity pages, Threat Explorer, and Advanced Hunting.

Microsoft will hold a webinar on Defender for Office 365 automated investigation and response (AIR) on June 25, 2025, at 8:00 AM PDT. If you’re interested, you can register for the webinar on this page.