You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-office-365/mdo-email-entity-page.md
+9-3Lines changed: 9 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ f1.keywords:
5
5
author: chrisda
6
6
ms.author: chrisda
7
7
manager: bagol
8
-
ms.date: 07/07/2025
8
+
ms.date: 09/22/2025
9
9
audience: ITPro
10
10
ms.topic: article
11
11
ms.service: defender-office-365
@@ -297,7 +297,10 @@ Use :::image type="icon" source="media/m365-cc-sc-download-icon.png" border="fal
297
297
298
298
If you select an entry in the **Attachments** view by clicking on the **Attachment filename** value, a details flyout opens that contains the following information:
299
299
300
-
-**Deep analysis** tab: Information is available on this tab if [Safe Attachments](safe-attachments-about.md) scanned (detonated) the attachment. You can identify these messages in Threat Explorer by using the query filter **Detection technology** with the value **File detonation**.
300
+
-**Deep analysis** tab: Information is available on this tab if [Safe Attachments](safe-attachments-about.md) scanned (detonated) the attachment and it is identified as malicious through detonation. You can identify these messages in Threat Explorer using the following methods:
301
+
-**Detection technology** query filter with the value **File detonation**.
302
+
-**Detonation available** indicator in the **Details** column.
303
+
- The detonation count shown in the Email Summary Panel.
301
304
302
305
-**Detonation chain** section: Safe Attachments detonation of a single file can trigger multiple detonations. The _detonation chain_ tracks the path of detonations, including the original malicious file that caused the verdict, and all other files affected by the detonation. These attached files might not be directly present in the email. But, including the analysis is important to determining why the file was found to be malicious.
303
306
@@ -378,7 +381,10 @@ Use :::image type="icon" source="media/m365-cc-sc-download-icon.png" border="fal
378
381
379
382
If you select an entry in the **URL** view by clicking on the **URL** value, a details flyout opens that contains the following information:
380
383
381
-
-**Deep analysis** tab: Information is available on this tab if [Safe Links](safe-links-about.md) scanned (detonated) the URL. You can identify these messages in Threat Explorer by using the query filter **Detection technology** with the value **URL detonation**.
384
+
-**Deep analysis** tab: Information is available on this tab if [Safe Links](safe-links-about.md) scanned (detonated) the URL and it is identified as malicious through detonation. You can identify these messages in Threat Explorer using the following methods:
385
+
-**Detection technology** query filter with the value **URL detonation**.
386
+
-**Detonation available** indicator in the **Details** column.
387
+
- The detonation count shown in the Email Summary Panel.
382
388
383
389
-**Detonation chain** section: Safe Links detonation of a single URL can trigger multiple detonations. The _detonation chain_ tracks the path of detonations, including the original malicious URL that caused the verdict, and all other URLs affected by the detonation. These URLs might not be directly present in the email. But, including the analysis is important to determining why the URL was found to be malicious.
> To allow phishing URLs that are part of non-Microsoft attack simulation training, use the [advanced delivery configuration](advanced-delivery-policy-configure.md) to specify the URLs. Don't use the Tenant Allow/Block List.
32
-
33
30
You might occasionally disagree with the Microsoft filtering verdict for email messages, Microsoft Teams messages, or Office apps. For example, a good message might be marked as bad (a false positive), or a bad message might be allowed through (a false negative), or a URL might be blocked when it shouldn't have.
34
31
35
32
The Tenant Allow/Block List in the Microsoft Defender portal gives you a way to manually override filtering verdicts. The list is used during mail flow (for email) or time of click (for email, Teams, or Office apps).
36
33
37
-
Entries for **Domains and email addresses** and **Spoofed senders** apply to messages from both internal and external senders. Special handling applies to internal spoofing scenarios. Block entries for **Domains and email addresses** also prevent users in the organization from *sending* email to those blocked domains and addresses.
38
-
39
34
The Tenant Allow/Block list is available in the Microsoft Defender portal at <https://security.microsoft.com>**Email & collaboration**\>**Policies & rules**\>**Threat Policies**\>**Rules** section \>**Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block Lists** page, use <https://security.microsoft.com/tenantAllowBlockList>.
40
35
41
36
For usage and configuration instructions, see the following articles:
42
37
43
38
-**Domains and email addresses** and **spoofed senders**: [Allow or block emails using the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md)
39
+
- Entries apply to the MAIL FROM address (also known as the `5321.MailFrom` address, P1 sender, or envelope sender), not the From address (also known as the `5322.From` address or P2 sender). For more information about these addresses, see [Why internet email needs authentication](email-authentication-about.md#why-internet-email-needs-authentication).
40
+
- Entries apply to messages from both internal and external senders. Special handling applies to internal spoofing scenarios.
41
+
- Block entries for **Domains and email addresses** also prevent users in the organization from *sending* email to those blocked domains and addresses.
44
42
-**Files**: [Allow or block files using the Tenant Allow/Block List](tenant-allow-block-list-files-configure.md)
45
43
-**URLs**: [Allow or block URLs using the Tenant Allow/Block List](tenant-allow-block-list-urls-configure.md).
44
+
- To allow phishing URLs from non-Microsoft attack simulation training, don't use URL allow entries in the Tenant Allow/Block List. Use the [advanced delivery policy](advanced-delivery-policy-configure.md) to specify the URLs.
46
45
-**IP addresses**: [Allow or block IPv6 addresses using the Tenant Allow/Block List](tenant-allow-block-list-ip-addresses-configure.md).
47
46
-**Teams domains**: [Block domains in Microsoft Teams using the Tenant Allow/Block List](tenant-allow-block-list-teams-domains-configure.md).
![m365-skilling-repo-management[bot]](https://avatars.githubusercontent.com/in/1161012?v=4&size=40){kind=avatar}
0 commit comments