M365 Archive
Back to latest version
You're viewing a historical snapshot from Jul 19, 2024. This is not the latest version.

Metadata at Jul 19, 2024

Message ID

MC822720

View in Message Center

Published

Jul 19, 2024

Service

Exchange Online

Tag

Major change
User impact
Admin impact
Retirement
View the latest version See what changed since this version

MC822720 - Microsoft Defender for Office 365: Four override alerts retire in August 2024

Message Center

What changed since this version

removed textadded text

Updated August 28, 2024: We have updated the rollout timeline and content below. Thank you for your patience.

Microsoft Defender for Office 365 is retiring four legacy override alerts that are now mostly redundant due to Secure by default. With Secure by default, ZAP (zero-hour auto purge) blocks high confidence phishing emails by default despite the legacy overrides. The four alerts are:

  1. Phish not zapped because ZAP is disabled
  2. Malware not zapped because ZAP is disabled
  3. Phish delivered due to ETR override
  4. Phish delivered due to IP allow

As part of the deprecation and rollout,

  • These policies will no longer be part of the Alert policies in the Microsoft Defender portal.
  • Existing alerts that are already generated will be in the system (part of Alerts) until data retention applies.
  • Any features like AIR built on these policies will not function (return no data) but will not result in any crashes or issues to the system.
  • Any features like Investigations or post-breach functionalities will not have these alerts as part of the selection, filtering, or processing.

When is the change?

We plan to turn off these alerts starting August 18, 2024 and ending August 30,September 15, 2024.

Who is impacted?

  1. Phish not zapped because ZAP is disabled: E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription
  2. Malware not zapped because ZAP is disabled: E5/G5 or Defender for Office 365 P2 add-on subscription
  3. Phish delivered due to ETR override: E1/F1/G1, E3/F3/G3, or E5/G5
  4. Phish delivered due to IP allow: E1/F1/G1, E3/F3/G3, or E5/G5

What should I do if I am impacted?

This change will happen automatically by the specified date. No admin action is required. Since these alerts are mostly redundant, we do not expect any impact. Defender XDR Customers using Defender for O365 as a secondary filter (MX record pointed to 3rd party service) and still want the alerts can create a custom detection rule on EmailEvents table with filters on OrgLevelAction & OrgLevelPolicy.

Snapshot from Jul 19, 2024

Microsoft Defender for Office 365 is retiring four legacy override alerts that are now mostly redundant due to Secure by default. With Secure by default, ZAP (zero-hour auto purge) blocks high confidence phishing emails by default despite the legacy overrides. The four alerts are:

  1. Phish not zapped because ZAP is disabled
  2. Malware not zapped because ZAP is disabled
  3. Phish delivered due to ETR override
  4. Phish delivered due to IP allow

As part of the deprecation and rollout,

  • These policies will no longer be part of the Alert policies in the Microsoft Defender portal.
  • Existing alerts that are already generated will be in the system (part of Alerts) until data retention applies.
  • Any features like AIR built on these policies will not function (return no data) but will not result in any crashes or issues to the system.
  • Any features like Investigations or post-breach functionalities will not have these alerts as part of the selection, filtering, or processing.

When is the change?

We plan to turn off these alerts starting August 18, 2024 and ending August 30, 2024.

Who is impacted?

  1. Phish not zapped because ZAP is disabled: E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription
  2. Malware not zapped because ZAP is disabled: E5/G5 or Defender for Office 365 P2 add-on subscription
  3. Phish delivered due to ETR override: E1/F1/G1, E3/F3/G3, or E5/G5
  4. Phish delivered due to IP allow: E1/F1/G1, E3/F3/G3, or E5/G5

What should I do if I am impacted?

This change will happen automatically by the specified date. No admin action is required. Since these alerts are mostly redundant, we do not expect any impact.