MS O365 Defender F.A.Q.
What is MS O365 Defender?
MS O365 Defender is an advanced email filter designed to protect University email from SPAM, phishing, and other malicious email.
Why is this system being implemented?
Unfortunately, universities are frequent targets for spammers and other malicious actors who try to take advantage of faculty, staff, and students. The previous email filtering system would catch a lot, but nowhere near all, malicious email messages. The malicious messages that would still deliver included malware and non-malware threats such as impostor or spoofed emails (also known as business email compromise, or BEC). As a result, MTSU implemented a more robust email filtering system in order to combat this type of threat.
How does email filtering work?
The MS O365 Defender Server filters all incoming and outgoing email. Based upon MS O365 Defender Server rules and policies, messages are "scored." The message score indicates the probability the message is spam or malicious in nature. Therefore, a message with the scoring of 100 would have 100% chance of being spam or malicious and will be found in the Spam-Quarantined section of the MS O365 Defender Web Application.
Can I or my department be excluded from email filtering?
All users must use email filtering because email security is most effective when as many people as possible are protected by its services. End users should work with ITD in order to try to rectify any possible false positive findings by email filtering.
Why do I see [External] in the subject line of emails?
Since most malicious emails originate with external email systems, all email messages from senders external to MTSU are now tagged with [External] in the subject line. Malicious actors use sophisticated tactics to lure users into clicking malicious links in emails, opening malicious attachments, and responding to spoofed emails using external email messages manipulated to look like it came from an MTSU email account.
Note the [External] email tag does not mean all external email messages are malicious. The tag is a visual indicator designed to help users stop and think about interacting with external messages as part of our ongoing efforts to reduce the risk associated with malicious emails.
What is the Quarantine?
The Quarantine is the location on a server where email messages that are suspected to be spam are stored.
What is the quarantine report?
The quarantine report is an email report of the spam added to your quarantine that day. The quarantine report is sent daily to help you keep abreast of the email that is being quarantined on your account. This feature is turned on by default.
What do I need to do with the quarantine report?
You do not need to do anything but delete the message after scanning it first for messages that you might not consider spam. If all the messages are spam, just delete the quarantine report. If not, you can take action on the messages in the quarantine report using the web links. For example, you can:
Review Message: Allows you to preview the message in the MS Defender quarantine review.
Request Release: Releases a message from the Quarantine and sends the message to your in-box
Block Sender: Add the sender to your blocked sender list.
To apply any of these actions to a message in your quarantine, simply click the link for the message. A browser window opens to let you know the request is being processed.
Why can't I release emails from my quarantine?
At the moment, the MS O365 Defender system is set to Quarantine and Deliver emails in order to give users time to trust specific email addresses by clicking the Allow Senders button. In the future, the email filter will be configured to Quarantine and Hold to help reduce the amount of unwanted or bulk emails that MTSU students and employees receive.
I did not get a quarantine today, why is that?
Your quarantine reports should only contain the list of messages that have been quarantined since the last report. Currently, empty quarantine reports are not sent. If no messages that have come through addressed to you have been quarantined during the last reporting period, you will not get a quarantine report.
I am still getting spam in my inbox. What can I do about it?
Spammers are always finding ways to circumvent even the best spam detection technologies. You should see a tremendous reduction in the spam messages in your inbox. However you can manually add e-mail address to your blocked senders list or report it to firstname.lastname@example.org.
Why did MS O365 Defender stop a legitimate message?
While MS O365 Defender filtering is incredibly accurate, no automated system is perfect. We recommend that you review your quarantined messages periodically, either in your quarantine report or by logging on to your MS Defender Web Console.
Why am I seeing a safelink URL when I hover over a link in email?
Email links and attachments are inspected as messages hit your inbox. During this process, all links are rewritten with a safelink URL. When you hover over an email link, you’ll see a URL that starts with: https://nam01.safelinks.protection.outlook.com. This lets you know the email has been scanned. If you click an unsafe email link, a notice will appear letting you know the Web site has been blocked. See the below images for examples of URL rewriting and Web site has been blocked messages.
Do I have to wait until my quarantine report to come in to see what has been quarantined?
You can see your quarantined email at any time by logging on to your MS Defender Web Console.
Can I receive my quarantine report in another language?
Yes, you may receive the quarantine report in a language other than English. From the MS Defender Portal, select Settings. In the Preferred Language field, make your selection.
ITD Help Desk
Sun: 12pm – 6pm
Mon-Thurs: 8am – 9pm
Fri: 8am – 4:30pm
Sat: 10am – 4:30pm
For students and staff who are unable to access the main Help Desk located in KUC 320, please call or email to schedule a meeting at our satellite office located in the ROTC Annex.