Merge pull request #948 from MicrosoftDocs/QuarRel-chrisda

chrisda · web-flow · commit 39f315e1db8b · 2024-07-15T09:28:47.000-07:00
QuarRel-chrisda
diff --git a/defender-office-365/defender-for-office-365-whats-new.md b/defender-office-365/defender-for-office-365-whats-new.md
@@ -51,7 +51,7 @@ For more information on what's new with other Microsoft Defender security produc
 
 - **Automated end user feedback**: The user submission automatic feedback response capability in Microsoft Defender for Office 365 enables organizations to automatically respond to end user submissions of phishing based on the verdict from the automated investigation. [Learn more](air-user-automatic-feedback-response.md).
 
-- We are introducing **Sender's copy clean-up features** in Threat Explorer, email entity, Summary Panel, and Advanced hunting. These new features will streamline the process of managing Sent items, particularly for admins who use Soft delete and Move to inbox actions. For more information, see [Threat Explorer (Explorer)](threat-explorer-real-time-detections-about.md). Key highlights:
+- We are introducing **Sender's copy clean-up features** in Threat Explorer, email entity, Summary Panel, and Advanced hunting. These new features will streamline the process of managing Sent items, particularly for admins who use the actions **Move to mailbox folder** \> **Soft delete** and **Move to mailbox folder** \> **Inbox**. For more information, see [Threat hunting: The Take action wizard](threat-explorer-threat-hunting.md#the-take-action-wizard). Key highlights:
 - Integration with Soft delete: Sender's copy clean-up will be incorporated as part of the Soft delete action.
   - Wide support: This action will be supported across various Defender XDR platforms including Threat Explorer, Take Action wizard from the email entity, Summary Panel, Advanced hunting, and through Microsoft Graph API.
   - Undo capability: An undo action will be available, allowing you to reverse the clean-up by moving items back to the Sent folder.
diff --git a/defender-office-365/mdo-email-entity-page.md b/defender-office-365/mdo-email-entity-page.md
@@ -80,7 +80,7 @@ The details pane on the left side of the page contains collapsible sections with
     - **Quarantine**
     - **Unknown**
   - **Latest Threats**
-  - **Latest delivery location**: The location of the message after system actions on the message (for example, [ZAP](zero-hour-auto-purge.md)), or admin actions on the message (for example, [Move to Deleted Items](threat-explorer-threat-hunting.md#email-remediation)). User actions on the message (for example, deleting or archiving the message) aren't shown, so this value doesn't guarantee the _current location_ of the message.
+  - **Latest delivery location**: The location of the message after system actions on the message (for example, [ZAP](zero-hour-auto-purge.md)), or admin actions on the message (for example, [Move to Deleted Items](threat-explorer-threat-hunting.md#the-take-action-wizard)). User actions on the message (for example, deleting or archiving the message) aren't shown, so this value doesn't guarantee the _current location_ of the message.
 
     > [!TIP]
     > There are scenarios where **Original delivery location**/**Latest delivery location** and/or **Delivery action** have the value **Unknown**. For example:
@@ -459,7 +459,7 @@ Use :::image type="icon" source="media/m365-cc-sc-download-icon.png" border="fal
 
 The following actions are available at the top of the Email entity page:
 
-- :::image type="icon" source="media/m365-cc-sc-take-actions-icon.png" border="false"::: **Take action**: For information, see [Threat hunting: Email remediation](threat-explorer-threat-hunting.md#email-remediation).
+- :::image type="icon" source="media/m365-cc-sc-take-actions-icon.png" border="false"::: **Take action**: For information, see [Threat hunting: The Take action wizard](threat-explorer-threat-hunting.md#the-take-action-wizard).
 - :::image type="icon" source="media/m365-cc-sc-view-message-headers-icon.png" border="false"::: **Email preview**¹ ²
 - :::image type="icon" source="media/m365-cc-sc-more-actions-icon.png" border="false"::: **More options**:
   - :::image type="icon" source="media/m365-cc-sc-open-icon.png" border="false"::: **Go to quarantined email**: Available only if the message was quarantined. Selecting this action opens the **Email** tab on the **Quarantine** page at <https://security.microsoft.com/quarantine>, filtered by the unique **Message ID** value of the message. For more information, see [View quarantined email](quarantine-admin-manage-messages-files.md#view-quarantined-email).
diff --git a/defender-office-365/quarantine-admin-manage-messages-files.md b/defender-office-365/quarantine-admin-manage-messages-files.md
@@ -276,7 +276,9 @@ If you don't release or remove a message, it's automatically deleted from quaran
 >
 > - Inbox rules (created by users in Outlook or by admins by using the **\*-InboxRule** cmdlets in Exchange Online PowerShell) can move or delete messages from the Inbox.
 >
-> Admins can use [message trace](message-trace-defender-portal.md) to determine if a released message was delivered to the recipient's Inbox.
+> - Admins can use [message trace](message-trace-defender-portal.md) to determine if a released message was delivered to the recipient's Inbox.
+>
+> - Selecting **Move to mailbox folder** \> **Inbox** on quarantined messages in :::image type="icon" source="media/m365-cc-sc-take-actions-icon.png" border="false"::: **Take action** from other Defender for Office 365 features (for example, Explorer (Threat Explorer) or the Email entity page) also allows you to release messages from quarantine. For more information, see [Threat hunting: The Take action wizard](threat-explorer-threat-hunting.md#the-take-action-wizard).
 
 After you select the message, use either of the following methods to release it:
 
diff --git a/defender-office-365/reports-email-security.md b/defender-office-365/reports-email-security.md
@@ -525,7 +525,7 @@ If you select an entry from the details table by clicking anywhere in the row ot
 In Defender for Microsoft 365, the following actions are available at the top of the Email summary panel for the Threat protection status report:
 
 - :::image type="icon" source="media/m365-cc-sc-open-icon.png" border="false"::: **Open email entity**: For more information, see [The Email entity page in Microsoft Defender for Office 365](mdo-email-entity-page.md).
-- :::image type="icon" source="media/m365-cc-sc-take-actions-icon.png" border="false"::: **Take action**: For information, see [Threat hunting: Email remediation](threat-explorer-threat-hunting.md#email-remediation).
+- :::image type="icon" source="media/m365-cc-sc-take-actions-icon.png" border="false"::: **Take action**: For information, see [Threat hunting: The Take action wizard](threat-explorer-threat-hunting.md#the-take-action-wizard).
 
 On the **Threat protection status** page, the :::image type="icon" source="media/m365-cc-sc-create-icon.png" border="false"::: **[Create schedule](#schedule-recurring-reports)**, :::image type="icon" source="media/m365-cc-sc-download-icon.png" border="false"::: **[Request report](#request-on-demand-reports-for-download)**, and :::image type="icon" source="media/m365-cc-sc-download-icon.png" border="false"::: **[Export](#export-report-data)** actions are available.
 
@@ -591,7 +591,7 @@ If you select an entry from the details table by clicking anywhere in the row ot
 In Defender for Microsoft 365, the following actions are available at the top of the Email summary panel for the Threat protection status report:
 
 - :::image type="icon" source="media/m365-cc-sc-open-icon.png" border="false"::: **Open email entity**: For more information, see [The Email entity page in Microsoft Defender for Office 365](mdo-email-entity-page.md).
-- :::image type="icon" source="media/m365-cc-sc-take-actions-icon.png" border="false"::: **Take action**: For information, see [Threat hunting: Email remediation](threat-explorer-threat-hunting.md#email-remediation).
+- :::image type="icon" source="media/m365-cc-sc-take-actions-icon.png" border="false"::: **Take action**: For information, see [Threat hunting: The Take action wizard](threat-explorer-threat-hunting.md#the-take-action-wizard).
 
 On the **Threat protection status** page, the :::image type="icon" source="media/m365-cc-sc-create-icon.png" border="false"::: **[Create schedule](#schedule-recurring-reports)**, :::image type="icon" source="media/m365-cc-sc-download-icon.png" border="false"::: **[Request report](#request-on-demand-reports-for-download)**, and :::image type="icon" source="media/m365-cc-sc-download-icon.png" border="false"::: **[Export](#export-report-data)** actions are available.
 
@@ -659,7 +659,7 @@ If you select an entry from the details table by clicking anywhere in the row ot
 In Defender for Microsoft 365, the following actions are available at the top of the Email summary panel for the Threat protection status report:
 
 - :::image type="icon" source="media/m365-cc-sc-open-icon.png" border="false"::: **Open email entity**: For more information, see [The Email entity page in Microsoft Defender for Office 365](mdo-email-entity-page.md).
-- :::image type="icon" source="media/m365-cc-sc-take-actions-icon.png" border="false"::: **Take action**: For information, see [Threat hunting: Email remediation](threat-explorer-threat-hunting.md#email-remediation).
+- :::image type="icon" source="media/m365-cc-sc-take-actions-icon.png" border="false"::: **Take action**: For information, see [Threat hunting: The Take action wizard](threat-explorer-threat-hunting.md#the-take-action-wizard).
 
 On the **Threat protection status** page, the :::image type="icon" source="media/m365-cc-sc-create-icon.png" border="false"::: **[Create schedule](#schedule-recurring-reports)**, :::image type="icon" source="media/m365-cc-sc-download-icon.png" border="false"::: **[Request report](#request-on-demand-reports-for-download)**, and :::image type="icon" source="media/m365-cc-sc-download-icon.png" border="false"::: **[Export](#export-report-data)** actions are available.
 
@@ -722,7 +722,7 @@ If you select an entry from the details table by clicking anywhere in the row ot
 In Defender for Microsoft 365, the following actions are available at the top of the Email summary panel for the Threat protection status report:
 
 - :::image type="icon" source="media/m365-cc-sc-open-icon.png" border="false"::: **Open email entity**: For more information, see [The Email entity page in Microsoft Defender for Office 365](mdo-email-entity-page.md).
-- :::image type="icon" source="media/m365-cc-sc-take-actions-icon.png" border="false"::: **Take action**: For information, see [Threat hunting: Email remediation](threat-explorer-threat-hunting.md#email-remediation).
+- :::image type="icon" source="media/m365-cc-sc-take-actions-icon.png" border="false"::: **Take action**: For information, see [Threat hunting: The Take action wizard](threat-explorer-threat-hunting.md#the-take-action-wizard).
 
 On the **Threat protection status** page, the :::image type="icon" source="media/m365-cc-sc-create-icon.png" border="false"::: **[Create schedule](#schedule-recurring-reports)**, :::image type="icon" source="media/m365-cc-sc-download-icon.png" border="false"::: **[Request report](#request-on-demand-reports-for-download)**, and :::image type="icon" source="media/m365-cc-sc-download-icon.png" border="false"::: **[Export](#export-report-data)** actions are available.
 
@@ -786,7 +786,7 @@ If you select an entry from the details table by clicking anywhere in the row ot
 In Defender for Microsoft 365, the following actions are available at the top of the Email summary panel for the Threat protection status report:
 
 - :::image type="icon" source="media/m365-cc-sc-open-icon.png" border="false"::: **Open email entity**: For more information, see [The Email entity page in Microsoft Defender for Office 365](mdo-email-entity-page.md).
-- :::image type="icon" source="media/m365-cc-sc-take-actions-icon.png" border="false"::: **Take action**: For information, see [Threat hunting: Email remediation](threat-explorer-threat-hunting.md#email-remediation).
+- :::image type="icon" source="media/m365-cc-sc-take-actions-icon.png" border="false"::: **Take action**: For information, see [Threat hunting: The Take action wizard](threat-explorer-threat-hunting.md#the-take-action-wizard).
 
 On the **Threat protection status** page, the :::image type="icon" source="media/m365-cc-sc-create-icon.png" border="false"::: **[Create schedule](#schedule-recurring-reports)**, :::image type="icon" source="media/m365-cc-sc-download-icon.png" border="false"::: **[Request report](#request-on-demand-reports-for-download)**, and :::image type="icon" source="media/m365-cc-sc-download-icon.png" border="false"::: **[Export](#export-report-data)** actions are available.
 
diff --git a/defender-office-365/threat-explorer-email-security.md b/defender-office-365/threat-explorer-email-security.md
@@ -143,9 +143,9 @@ The report shows the results that malware detected in email, using the technolog
 
 ## Report messages as clean
 
-You can use the **Submissions** page in the Defender portal at <https://security.microsoft.com/reportsubmission> to [report messages as clean (false positives) to Microsoft](submissions-admin.md#report-good-email-to-microsoft). But you can also submit messages as clean to Microsoft from Explorer or Real-time detections.
+You can use the **Submissions** page in the Defender portal at <https://security.microsoft.com/reportsubmission> to [report messages as clean (false positives) to Microsoft](submissions-admin.md#report-good-email-to-microsoft). But you can also submit messages as clean to Microsoft from :::image type="icon" source="media/m365-cc-sc-take-actions-icon.png" border="false"::: **Take action** in Threat Explorer or the Email entity page.
 
-For instructions, see [Threat hunting: Email remediation](threat-explorer-threat-hunting.md#email-remediation).
+For instructions, see [Threat hunting: The Take action wizard](threat-explorer-threat-hunting.md#the-take-action-wizard).
 
 To summarize:
 
diff --git a/defender-office-365/threat-explorer-threat-hunting.md b/defender-office-365/threat-explorer-threat-hunting.md
@@ -7,7 +7,7 @@ author: chrisda
 manager: deniseb
 audience: ITPro
 ms.topic: conceptual
-ms.date: 05/20/2024
+ms.date: 06/12/2024
 ms.localizationpriority: medium
 ms.collection:
   - m365-security
@@ -170,46 +170,47 @@ After you determine that an email message is a threat, the next step is remediat
 
   :::image type="content" source="media/te-rtd-all-email-view-email-tab-details-area-subject-details-flyout-actions-only.png" alt-text="The actions available in the details tab after you select a Subject value in the Email tab of the details area in the All email view." lightbox="media/te-rtd-all-email-view-email-tab-details-area-subject-details-flyout-actions-only.png":::
 
-Selecting :::image type="icon" source="media/m365-cc-sc-take-actions-icon.png" border="false"::: **Take action** opens the **Take action** wizard in a flyout. The available actions in the **Take action** wizard in Threat Explorer (Defender for Office 365 Plan 2) and Real-time detections (Defender for Office 365 Plan 1) are listed in the following table:
+#### The Take action wizard
 
-|Action|Threat<br/>Explorer|Real-time<br/>Detections|
+Selecting :::image type="icon" source="media/m365-cc-sc-take-actions-icon.png" border="false"::: **Take action** opens the **Take action** wizard in a flyout. The available actions in the **Take action** wizard in Defender for Office 365 Plan 2 and Defender for Office 365 Plan 1 are listed in the following table:
+
+|Action|Defender for<br/>Office 365 Plan 2|Defender for<br/>Office 365 Plan 1|
 |---|:---:|:---:|
 |**Move to mailbox folder**|✔¹||
+|&nbsp;&nbsp;Release quarantined messages to some or all original recipients²|✔||
 |**Submit to Microsoft for review**|✔|✔|
-|&nbsp;&nbsp;**Allow or block entries in the Tenant Allow/Block List**²|✔|✔|
+|&nbsp;&nbsp;**Allow or block entries in the Tenant Allow/Block List**³|✔|✔|
 |**Initiate automated investigation**|✔||
 |**Propose remediation**|✔||
 
 ¹ This action requires the **Search and Purge** role in [Email & collaboration permissions](mdo-portal-permissions.md). By default, this role is assigned only to the **Data Investigator** and **Organization Management** role groups. You can add users to those role groups, or you can [create a new role group](mdo-portal-permissions.md#create-email--collaboration-role-groups-in-the-microsoft-defender-portal) with the **Search and Purge** role assigned, and add the users to the custom role group.
 
-² This action is available under **Submit to Microsoft for review**.
+² This option is available for quarantined messages when you select **Inbox** as the move location.
+
+³ This action is available under **Submit to Microsoft for review**.
 
 The **Take action** wizard is described in the following list:
 
-1. On the **Choose response actions** page, make the following selections:
+1. On the **Choose response actions** page, the following options are available:
 
    - **Show all response actions**: This option is available only in Threat Explorer.
 
-     By default, some actions are unavailable/grayed out based on the latest delivery location of the message. To show all available response actions, slide the toggle to :::image type="icon" source="media/scc-toggle-on.png" border="false"::: **On**.
-
-   - **Email message actions** section:
-
-     You can select multiple actions if you selected 100 or less messages from the **Email** tab (view) of the details area of the **All email**, **Malware**, or **Phish** views when you selected :::image type="icon" source="media/m365-cc-sc-take-actions-icon.png" border="false"::: **Take action**.
-
-     You can also select multiple actions if you selected :::image type="icon" source="media/m365-cc-sc-take-actions-icon.png" border="false"::: **Take action** in the details flyout after you clicked on the **Subject** value of an entry.
-
-     Select one or more of the available options:
+     By default, some actions are unavailable/grayed out based on the **Latest delivery location** value of the message. To show all available response actions, slide the toggle to :::image type="icon" source="media/scc-toggle-on.png" border="false"::: **On**.
 
    - **Move to mailbox folder**: Select one of the available values that appear:
      - **Junk**: Move the message to the Junk Email folder.
-     - **Inbox**: Move the message to the Inbox.
+     - **Inbox**: Move the message to the Inbox. Selecting this value might also reveal the following options:
+
+       - **Move back to Sent Items folder**: If the message was sent by an internal sender and the message was soft deleted (moved to the Recoverable Items\Deletions folder), selecting this option tries to move the message back to the Sent Items folder. This option is an undo action if you previously selected **Move to mailbox folder** \> **Soft deleted items** and also selected **Delete sender's copy** on a message.
 
-       **Move back to Sent Items folder**: Also try to move the message from the sender's Recoverable Items\Deletions folder to the Sent Items folder if the sender is the organization.
+       - For messages with the value **Quarantine** for the **Latest delivery location** property, selecting **Inbox** releases the message from quarantine, so the following options are also available:
+         - **Release to one or more of the original recipients of the e-mail**: If you select this value, a box appears where you can select or deselect the original recipients of the quarantined message.
+         - **Release to all recipients**
 
      - **Deleted items**: Move the message to the Deleted items folder.
-     - **Soft deleted items**: Delete the message from the Deleted items folder (move to the Recoverable Items\Deletions folder). The message is recoverable by the user and admins.
+     - **Soft deleted items**: Move the message to the Recoverable Items\Deletions folder, which is equivalent to deleting the message from the Deleted items folder. The message is recoverable by the user and admins.
 
-       **Delete sender's copy**: Also try to soft delete the message from the sender's Sent Items folder if the sender is the organization.
+       **Delete sender's copy**: If the message was sent by an internal sender, also try to soft delete the message from the sender's Sent Items folder.
 
      - **Hard deleted items**: Purge the deleted message. Admins can recover hard deleted items using single-item recovery. For more information about hard deleted and soft deleted items, see [Soft-deleted and hard-deleted items](/compliance/assurance/assurance-exchange-online-data-deletion#soft-deleted-and-hard-deleted-items).
 

Original file line number	Diff line number	Diff line change
`@@ -276,7 +276,9 @@ If you don't release or remove a message, it's automatically deleted from quaran`
`276`	`276`	`>`
`277`	`277`	`> - Inbox rules (created by users in Outlook or by admins by using the *\-InboxRule** cmdlets in Exchange Online PowerShell) can move or delete messages from the Inbox.`
`278`	`278`	`>`
`279`		`-> Admins can use [message trace](message-trace-defender-portal.md) to determine if a released message was delivered to the recipient's Inbox.`
	`279`	`+> - Admins can use [message trace](message-trace-defender-portal.md) to determine if a released message was delivered to the recipient's Inbox.`
	`280`	`+>`
	`281`	`+> - Selecting Move to mailbox folder \> Inbox on quarantined messages in :::image type="icon" source="media/m365-cc-sc-take-actions-icon.png" border="false"::: Take action from other Defender for Office 365 features (for example, Explorer (Threat Explorer) or the Email entity page) also allows you to release messages from quarantine. For more information, see [Threat hunting: The Take action wizard](threat-explorer-threat-hunting.md#the-take-action-wizard).`
`280`	`282`
`281`	`283`	`After you select the message, use either of the following methods to release it:`
`282`	`284`