Office 365|Security

New Override Alerts for Office 365 Create an Additional Safety Net

When getting started with your new Office 365 tenant, Microsoft has done a respectable job of making the first run experience not too overwhelming. But as your tenant grows, more people are added to roles that can impact policy, it’s possible that a rule could be created that will allow a malicious email or file to be delivered to a mailbox.

As an example, you may set a policy to enable a specific IP to deliver email but if an attacker is able to exploit this policy to deliver a phishing email, you may not be aware of the intrusion. This is the gap that Microsoft is trying to address with its new override alerts.

Announced today and the feature will start rolling out in early February, for those using Microsoft Defender for Office 365 Plan 1 and Plan 2, you will now be alerted when a message is delivered, only when it is determined with a high degree of confidence that it is phishing or malware, to a mailbox because of a policy that was enabled/disabled.

Specifically, Microsoft says that the “new system alert policies will enable security admins to receive alerts if a message with a high confidence phish or malware verdict is delivered to a mailbox due to one of the following” scenarios:

Sponsored Content

What is “Inside Microsoft Teams”?

“Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts. Our next episode, “Polaris Inc., and Microsoft Teams- Reinventing how we work and play” will be airing on Oct. 28th from 10-11am PST.

  • Phish delivered due to an IP allow policy
  • Phish delivered due to an ETR override.
  • Phish delivered because a user’s Junk Mail Folder is disabled.
  • Phish not zapped because ZAP is disabled.
  • Malware not zapped because ZAP is disabled.

When this feature rolls out, the alert policies will be enabled by default but you can turn them on/off as needed. You will also have the ability to define who gets the alerts and also manage how many alerts are sent to help control false positives.

This looks to be a smart move by Microsoft to help contain malware/phishing in an environment where controls may not be correctly applied. Further, this is a safety net and even though it will not be perfect, this is a good step to help to prevent accidental exposure inside your tenant.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (2)

2 responses to “New Override Alerts for Office 365 Create an Additional Safety Net”

  1. <p>We send simulated phishing tests to our users, and have Exchange mail flow rules set up to make sure they land in the Inbox. Now this new alert is coming up "Phish delivered due to an ETR override." and I don't see a way to make an exception. I can turn the alert on or off, but I'd like to allow the phish tests through.</p>

  2. We’re in the same boat. If I could figure out a way in PowerShell of getting a report for a specific Identity of the "Sent By" and "To" details that are in the alert already that would help

Leave a Reply

Brad Sams has more than a decade of writing and publishing experience under his belt including helping to establish new and seasoned publications From breaking news about upcoming Microsoft products to telling the story of how a billion dollar brand was birthed in his book, Beneath a Surface, Brad is a well-rounded journalist who has established himself as a trusted name in the industry.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by:

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: