MC973503 - Microsoft Defender for Office: Introducing "Threat classification" for email
Service
Last Updated
Published Jan 7, 2025
Tag
Summary
Microsoft Defender for Office is introducing "Threat classification" for emails, enhancing detection and response capabilities. The system uses advanced techniques for accurate threat intent classification. It will be integrated across various features, with rollout expected in January 2025. Updated documentation is available on Microsoft Learn.
More information
Updated January 23, 2025: We have updated our Threat Classification documentation on Microsoft Learn. You can now access the latest version from here.
Coming soon to Microsoft Defender for Office: We will introduce Threat classification details to enhance your ability to understand the intent behind email attacks. This update will allow you to integrate Threat classification information across key experiences, enabling better detection, analysis, and response. The Threat classification system utilizes large language models (LLMs), machine learning (ML) models, and other advanced techniques to understand the intent behind threats, providing a more accurate classification. As the system evolves, you can expect new Threat classifications to be added to keep pace with emerging attack methods.
When this will happen:
General Availability (Worldwide): We will begin rolling out early January 2025 and expect to complete by late January 2025.
How this will affect your organization:
Threat Explorer: You will be able to filter emails by Threat classification, view the classification in the results, analyze trends using charts, and export data with the classification details included:
Advanced Hunting: The ThreatClassification column will be available in the EmailEvents table, allowing you to create custom detection rules based on classification details:
Email summary panel: Threat classification will be integrated across multiple areas, including Alerts, Incidents, Reports, AIR, Submission, Explorer, and Advanced Hunting, providing a comprehensive view of threat classifications:
Email entity page: A new Threat classification field will be added in the threat detection details, helping you understand the context and intent of the detected threat:
These changes will be available by default for admins to configure.
What you need to do to prepare:
Familiarize your team with the new Threat classification details available in the Threat Explorer, Advanced Hunting, email summary panel, and email entity page.
Leverage Threat classification to enhance filtering, hunting, and trend analysis in your workflows.
Prepare to update any custom detection rules or automated workflows to incorporate Threat classification for more targeted and insightful threat detection.
This rollout will happen automatically by the specified date with no admin action required before the rollout. Review your current configuration to determine the impact for your organization. You may want to notify your team about this change and update any relevant documentation.
Before rollout, we will update this post with revised documentation.