MS O365 Defender F.A.Q.

MS O365 Defender is an advanced email filter designed to protect University email from SPAM, phishing, and other malicious email.

Unfortunately, universities are frequent targets for spammers and other malicious actors who try to take advantage of faculty, staff, and students. The previous email filtering system would catch a lot, but nowhere near all, malicious email messages. The malicious messages that would still deliver included malware and non-malware threats such as impostor or spoofed emails (also known as business email compromise, or BEC). As a result, MTSU implemented a more robust email filtering system in order to combat this type of threat.

The MS O365 Defender Server filters all incoming and outgoing email. Based upon MS O365 Defender Server rules and policies, messages are "scored." The message score indicates the probability the message is spam or malicious in nature. Therefore, a message with the scoring of 100 would have 100% chance of being spam or malicious and will be found in the Spam-Quarantined section of the MS O365 Defender Web Application.

All users must use email filtering because email security is most effective when as many people as possible are protected by its services. End users should work with ITD in order to try to rectify any possible false positive findings by email filtering.

Since most malicious emails originate with external email systems, all email messages from senders external to MTSU are now tagged with [External] in the subject line. Malicious actors use sophisticated tactics to lure users into clicking malicious links in emails, opening malicious attachments, and responding to spoofed emails using external email messages manipulated to look like it came from an MTSU email account.

Note the [External] email tag does not mean all external email messages are malicious. The tag is a visual indicator designed to help users stop and think about interacting with external messages as part of our ongoing efforts to reduce the risk associated with malicious emails.

The Quarantine is the location on a server where email messages that are suspected to be spam are stored.

The quarantine report is an email report of the spam added to your quarantine that day. The quarantine report is sent daily to help you keep abreast of the email that is being quarantined on your account. This feature is turned on by default.

You do not need to do anything but delete the message after scanning it first for messages that you might not consider spam. If all the messages are spam, just delete the quarantine report. If not, you can take action on the messages in the quarantine report using the web links. For example, you can:

Review Message: Allows you to preview the message in the MS Defender quarantine review.
Request Release: Releases a message from the Quarantine and sends the message to your in-box
Block Sender: Add the sender to your blocked sender list.

To apply any of these actions to a message in your quarantine, simply click the link for the message. A browser window opens to let you know the request is being processed.

At the moment, the MS O365 Defender system is set to Quarantine and Deliver emails in order to give users time to trust specific email addresses by clicking the Allow Senders button. In the future, the email filter will be configured to Quarantine and Hold to help reduce the amount of unwanted or bulk emails that MTSU students and employees receive.

Your quarantine reports should only contain the list of messages that have been quarantined since the last report. Currently, empty quarantine reports are not sent. If no messages that have come through addressed to you have been quarantined during the last reporting period, you will not get a quarantine report.

Spammers are always finding ways to circumvent even the best spam detection technologies. You should see a tremendous reduction in the spam messages in your inbox. However you can manually add e-mail address to your blocked senders list or report it to abuse@mtsu.edu. 

While MS O365 Defender filtering is incredibly accurate, no automated system is perfect. We recommend that you review your quarantined messages periodically, either in your quarantine report or by logging on to your MS Defender Web Console.

Email links and attachments are inspected as messages hit your inbox. During this process, all links are rewritten with a safelink URL. When you hover over an email link, you’ll see a URL that starts with: https://nam01.safelinks.protection.outlook.com. This lets you know the email has been scanned. If you click an unsafe email link, a notice will appear letting you know the Web site has been blocked. See the below images for examples of URL rewriting and Web site has been blocked messages.

You can see your quarantined email at any time by logging on to your MS Defender Web Console.

Yes, you may receive the quarantine report in a language other than English. From the MS Defender Portal, select Settings. In the Preferred Language field, make your selection.