Merge pull request #2773 from MicrosoftDocs/main

aditisrivastava07 · web-flow · commit 5bf406dff0a1 · 2025-02-14T11:00:28.000+05:30
Publish main to live, 02/14, 11:00 AM IST
diff --git a/defender-office-365/detect-and-remediate-illicit-consent-grants.md b/defender-office-365/detect-and-remediate-illicit-consent-grants.md
@@ -10,15 +10,14 @@ ms.topic: conceptual
 ms.collection:
 - tier2
 - m365-security
-ms.date: 6/14/2023
+ms.date: 02/13/2025
 ms.localizationpriority: medium
 search.appverid:
   - MET150
 description: Learn how to recognize and remediate the illicit consent grants attack in Microsoft 365.
 ms.custom:
   - seo-marvel-apr2020
-  - has-azure-ad-ps-ref
-  - azure-ad-ref-level-one-done
+  - no-azure-ad-ps-ref
 ms.service: defender-office-365
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -33,7 +32,7 @@ appliesto:
 
 ## What is the illicit consent grant attack in Microsoft 365?
 
-In an illicit consent grant attack, the attacker creates an Azure-registered application that requests access to data such as contact information, email, or documents. The attacker then tricks an end user into granting that application consent to access their data either through a phishing attack, or by injecting illicit code into a trusted website. After the illicit application is granted consent, it has account-level access to data without the need for an organizational account. Normal remediation steps (for example, resetting passwords or requiring multi-factor authentication (MFA)) aren't effective against this type of attack, because these apps are external to the organization.
+In an illicit consent grant attack, the attacker creates a registered application in Microsoft Entra ID that requests access to data such as contact information, email, or documents. The attacker then tricks an end user into granting that application consent to access their data either through a phishing attack, or by injecting illicit code into a trusted website. After the illicit application is granted consent, it has account-level access to data without the need for an organizational account. Normal remediation steps (for example, resetting passwords or requiring multifactor authentication (MFA)) aren't effective against this type of attack, because these apps are external to the organization.
 
 These attacks use an interaction model that presumes the entity calling the information is automation and not a human.
 
@@ -42,11 +41,11 @@ These attacks use an interaction model that presumes the entity calling the info
 
 ## What does an illicit consent grant attack look like in Microsoft 365?
 
-You need to search the **audit log** to find signs, also called Indicators of Compromise (IOC) of this attack. For organizations with many Azure-registered applications and a large user base, the best practice is to review your organizations consent grants on a weekly basis.
+You need to search the **audit log** to find signs, also called Indicators of Compromise (IOC) of this attack. For organizations with many applications registered in Microsoft Entra ID and a large user base, you should review your organizations consent grants every week.
 
 ### Steps for finding signs of this attack
 
-1. Open the Microsoft Defender portal at <https://security.microsoft.com> and then select **Audit**. Or, to go directly to the **Audit** page, use <https://security.microsoft.com/auditlogsearch>.
+1. In the Microsoft Defender portal at <https://security.microsoft.com>, select **Audit**. Or, to go directly to the **Audit** page, use <https://security.microsoft.com/auditlogsearch>.
 
 2. On the **Audit** page, verify that the **Search** tab is selected, and then configure the following settings:
    - **Date and time range**
@@ -62,25 +61,25 @@ You need to search the **audit log** to find signs, also called Indicators of Co
 >
 > It can take from 30 minutes up to 24 hours for the corresponding audit log entry to be displayed in the search results after an event occurs.
 >
-> The length of time that an audit record is retained and searchable in the audit log depends on your Microsoft 365 subscription, and specifically the type of the license that is assigned to a specific user. For more information, see [Audit log](/purview/audit-log-search).
+> The length of time that an audit record is retained and searchable in the audit log depends on your Microsoft 365 subscription. Specifically, the licenses assigned to specific users. For more information, see [Audit log](/purview/audit-log-search).
 >
-> The value is true indicates that someone with Global Administrator access might have granted broad access to data. If this value is unexpected, take steps to [confirm an attack](#how-to-confirm-an-attack).
+> The value True indicates that someone with Global Administrator access might have granted broad access to data. If this value is unexpected, take steps to [confirm an attack](#how-to-confirm-an-attack).
 
 ## How to confirm an attack
 
 If you have one or more instances of the IOCs previously listed, you need to do further investigation to positively confirm that the attack occurred. You can use any of these three methods to confirm the attack:
 
-- Inventory applications and their permissions using the Microsoft Entra admin center. This method is thorough, but you can only check one user at a time that can be very time consuming if you have many users to check.
-- Inventory applications and their permissions using PowerShell. This is the fastest and most thorough method, with the least amount of overhead.
-- Have your users individually check their apps and permissions and report the results back to the administrators for remediation.
+- Inventory applications and their permissions using the Microsoft Entra admin center. This method is thorough, but you can only check one user at a time. This method can be very time consuming if you have many users to check.
+- Inventory applications and their permissions using PowerShell. This method is the fastest, most method, and has the least amount of overhead.
+- Have users individually check their apps and permissions and report the results back to the admins for remediation.
 
 ## Inventory apps with access in your organization
 
 You have the following options to inventory apps for your users:
 
 - The Microsoft Entra admin center.
 - PowerShell.
-- Have your users individually enumerate their own application access.
+- Have users individually enumerate their own application access.
 
 ### Steps for using the Microsoft Entra admin center
 
@@ -98,21 +97,19 @@ Have your users go to <https://myapps.microsoft.com> and review their own applic
 
 ### Steps in PowerShell
 
-The simplest way to verify the Illicit Consent Grant attack is to run [Get-AzureADPSPermissions.ps1](https://gist.github.com/psignoret/41793f8c6211d2df5051d77ca3728c09), which dumps all the OAuth consent grants and OAuth apps for all users in your tenancy into one .csv file.
+The simplest way to verify the Illicit Consent Grant attack is to run [the Get-AzureADPSPermissions.ps1 script](https://gist.github.com/psignoret/41793f8c6211d2df5051d77ca3728c09), which dumps all the OAuth consent grants and OAuth apps for all users in your tenancy into one .csv file.
 
 #### Prerequisites
 
-- The Azure AD PowerShell library installed.
+- The [Microsoft Graph PowerShell SDK is installed](/powershell/microsoftgraph/installation).
 - Global Administrator permissions in the organization where the script is run.
 - Local Administrator permissions on the computer where you run the scripts.
 
 > [!IMPORTANT]
-> We ***highly recommend*** that you require multi-factor authentication on your admin account. This script supports MFA authentication.
+> We ***highly recommend*** that you require multifactor authentication on your admin account. This script supports MFA authentication.
 >
 > Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
 
-[!INCLUDE [Azure AD PowerShell deprecation note](../includes/aad-powershell-deprecation-note.md)]
-
 1. Sign in to the computer where you want to run the scripts with local administrator rights.
 
 2. Download or copy the [Get-AzureADPSPermissions.ps1](https://gist.github.com/psignoret/41793f8c6211d2df5051d77ca3728c09) script from GitHub to a folder that's easy to find and remember. This folder is also where you need to write the "permissions.csv" output file is written.
@@ -142,7 +139,7 @@ The script produces one file named Permissions.csv. Follow these steps to look f
 After you finished inventorying application access, review the **audit log** to determine the full scope of the breach. Search on the affected users, the time frames that the illicit application had access to your organization, and the permissions the app had. You can search the **audit log** in the [Microsoft Defender portal](audit-log-search-defender-portal.md).
 
 > [!IMPORTANT]
-> [Mailbox auditing](/purview/audit-mailboxes) and [Activity auditing for admins and users](/purview/audit-log-enable-disable) must have been enabled prior to the attack for you to get this information.
+> Getting this information requires [Mailbox auditing](/purview/audit-mailboxes) and [Activity auditing for admins and users](/purview/audit-log-enable-disable) to be turned on before the attack.
 
 ## How to stop and remediate an illicit consent grant attack
 
diff --git a/defender-office-365/quarantine-policies.md b/defender-office-365/quarantine-policies.md
@@ -516,6 +516,9 @@ Even if you don't customize quarantine notifications for different languages, se
 
 - **Use my company logo**: Select this option to replace the default Microsoft logo that's used at the top of quarantine notifications. Before you do this step, you need to follow the instructions in [Customize the Microsoft 365 theme for your organization](/Microsoft-365/admin/setup/customize-your-organization-theme) to upload your custom logo.
 
+  > [!TIP]
+  > PNG or JPEG logos are the most compatible in quarantine notifications in all versions of Outlook. For the best compatibility with SVG logos in quarantine notifications, use a URL link to the SVG logo instead of directly uploading the SVG file when you customize the Microsoft 365 theme.
+
   A custom logo in a quarantine notification is shown in the following screenshot:
 
   :::image type="content" source="media/quarantine-tags-esn-customization-logo.png" alt-text="A custom logo in a quarantine notification" lightbox="media/quarantine-tags-esn-customization-logo.png":::
diff --git a/defender-office-365/reports-email-security.md b/defender-office-365/reports-email-security.md
@@ -19,7 +19,7 @@ description: "Admins can learn how to find and use the email security reports th
 ms.custom: 
 - seo-marvel-apr2020
 ms.service: defender-office-365
-ms.date: 02/12/2025
+ms.date: 02/13/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Exchange Online Protection</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -114,7 +114,7 @@ The **Mailflow status report** is a smart report that shows information about in
 > [!TIP]
 > If a message is sent to five recipients, we count it as five different messages, not one message.
 >
-> The Mailflow status report shows the **primary threat** responsible for blocking or quarantining messages. [Threat Explorer or Real-time detections](threat-explorer-real-time-detections-about.md) and [Advanced hunting in Defender for Office 365 Plan 2](/defender-xdr/advanced-hunting-overview) show **all threats** responsible for blocking or quarantining messages. The increased message counts in these other reporting features aren't caused by a mismatch or counting the same item multiple times. The increased message counts are the result of showing all detected threats involved at the same time.
+> The Mailflow status report shows the **primary threat** responsible for blocking or quarantining messages. [Threat Explorer or Real-time detections](threat-explorer-real-time-detections-about.md) and [Advanced hunting in Defender for Office 365 Plan 2](/defender-xdr/advanced-hunting-overview) show **primary and secondary threats** responsible for blocking or quarantining messages. The increased message counts in these other reporting features aren't caused by a mismatch or counting the same item multiple times. The increased message counts are the result of showing all detected threats involved at the same time.
 >
 > The aggregate message count in the Mailflow status report could also be more than the message count in Threat Explorer or Real-time detections due to [zero-hour autopurge (ZAP)](zero-hour-auto-purge.md) activity. ZAP removes messages from mailboxes after delivery, so ZAP activity doesn't affect message counts in the Mailflow status report. ZAP activity does affect message counts in Threat Explorer or Real-time detections. In Defender for Office 365, use the [Post-delivery activities report](reports-defender-for-office-365.md#post-delivery-activities-report) to understand the lifecycle of ZAP on messages in the organization.
 
