Merge pull request #4286 from MicrosoftDocs/chrisda

Chrisda to Main

Author: chrisda

defender-office-365/anti-phishing-protection-tuning.md

@@ -57,7 +57,7 @@ You can also use the [configuration analyzer](configuration-analyzer-for-securit
 
 - On a monthly basis, run [Secure Score](/defender-xdr/microsoft-secure-score) to assess your organization's security settings.
 
-- For messages that end up in quarantine by mistake (false positives), or for messages that are allowed through (false negatives), we recommend that you search for those messages in [Threat Explorer and real-time detections](threat-explorer-real-time-detections-about.md). You can search by sender, recipient, or message ID. After you locate the message, go to details by clicking on the subject. For a quarantined message, look to see what the "detection technology" was so that you can use the appropriate method to override. For an allowed message, look to see which policy allowed the message.
+- For messages that end up in quarantine by mistake (false positives), or for messages that are allowed through (false negatives), we recommend that you search for those messages in [Threat Explorer and real-time detections](threat-explorer-real-time-detections-about.md). You can search by sender, recipient, or message ID. After you locate the message, go to details by clicking on the subject. For a quarantined message, use the **Detection technology** value to find an appropriate method to override. For an allowed message, view which policy allowed the message.
 
 - Email from spoofed senders (the From address of the message doesn't match the source of the message) is classified as _phishing_ in Defender for Office 365. Sometimes spoofing is benign, and sometimes users don't want messages from specific spoofed sender to be quarantined. To minimize the impact to users, periodically review the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md), [entries for spoofed senders in the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#use-the-microsoft-defender-portal-to-view-entries-for-spoofed-senders-in-the-tenant-allowblock-list), and the [Spoof detections report](reports-email-security.md#spoof-detections-report). After you review allowed and blocked spoofed senders and make any necessary overrides, you can confidently [configure spoof intelligence in anti-phishing policies](anti-phishing-policies-about.md#spoof-settings) to **Quarantine** suspicious messages instead of delivering them to the user's Junk Email folder.
 

defender-office-365/campaigns.md

@@ -174,7 +174,7 @@ The available properties and their associated values are described in the follow
 |Delivery action|Select one or more values¹: <ul><li>**Blocked**</li><li>**Delivered**</li><li>**Delivered to junk**</li><li>**Replaced**</li></ul>|
 |Additional action|Select one or more values¹: <ul><li>**Automated remediation**</li><li>**Dynamic Delivery**: For more information, see [Dynamic Delivery in Safe Attachments policies](safe-attachments-about.md#dynamic-delivery-in-safe-attachments-policies).</li><li>**Manual remediation**</li><li>**None**</li><li>**Quarantine release**</li><li>**Reprocessed**</li><li>**ZAP**: For more information, see [Zero-hour auto purge (ZAP) in Microsoft Defender for Office 365](zero-hour-auto-purge.md).</li></ul>|
 |Directionality|Select one or more values¹: <ul><li>**Inbound**</li><li>**Intra-irg**</li><li>**Outbound**</li></ul>|
-|Detection technology|Select one or more values¹: <ul><li>**Advanced filter**: Signals based on machine learning.</li><li>**Antimalware protection**</li><li>**Bulk**</li><li>**Campaign**</li><li>**Domain reputation**</li><li>**File detonation**: [Safe Attachments](safe-attachments-about.md) detected a malicious attachment during detonation analysis.</li><li>**File detonation reputation**: File attachments previously detected by [Safe Attachments](safe-attachments-about.md) detonations in other Microsoft 365 organizations.</li><li>**File reputation**: The message contains a file that was previously identified as malicious in other Microsoft 365 organizations.</li><li>**Fingerprint matching**: The message closely resembles a previous detected malicious message.</li><li>**General filter**</li><li>**Impersonation brand**: Sender impersonation of well-known brands.</li><li>**Impersonation domain**: Impersonation of sender domains that you own or specified for protection in [anti-phishing policies](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)</li><li>**Impersonation user**</li><li>**IP reputation**</li><li>**Mailbox intelligence impersonation**: Impersonation detections from mailbox intelligence in [anti-phishing policies](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).</li><li>**Mixed analysis detection**: Multiple filters contributed to the message verdict.</li><li>**spoof DMARC**: The message failed [DMARC authentication](email-authentication-dmarc-configure.md).</li><li>**Spoof external domain**: Sender email address spoofing using a domain that's external to your organization.</li><li>**Spoof intra-org**: Sender email address spoofing using a domain that's internal to your organization.</li><li>**URL detonation**: [Safe Links](safe-links-about.md) detected a malicious URL in the message during detonation analysis.</li><li>**URL detonation reputation**</li><li>**URL malicious reputation**: URLs previously detected by [Safe Links](safe-links-about.md) detonations in other Microsoft 365 organizations.</li></ul>|
+|Detection technology|Select one or more values¹: <ul><li>**Advanced filter**: Signals based on machine learning.</li><li>**Antimalware protection**</li><li>**Bulk**</li><li>**Campaign**</li><li>**Domain reputation**</li><li>**File detonation**: [Safe Attachments](safe-attachments-about.md) detected a malicious attachment during detonation analysis.</li><li>**File detonation reputation**: File attachments previously detected by [Safe Attachments](safe-attachments-about.md) detonations in other Microsoft 365 organizations.</li><li>**File reputation**: The message contains a file that was previously identified as malicious in other Microsoft 365 organizations.</li><li>**Fingerprint matching**: The message closely resembles a previous detected malicious message.</li><li>**General filter**</li><li>**Impersonation brand**: Sender impersonation of well-known brands.</li><li>**Impersonation domain**: Impersonation of sender domains that you own or specified for protection in [anti-phishing policies](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)</li><li>**Impersonation user**</li><li>**IP reputation**</li><li>**LLM content analysis**: Analysis by Microsoft's purpose-built large language models to detect harmful email.</li><li>**Mailbox intelligence impersonation**: Impersonation detections from mailbox intelligence in [anti-phishing policies](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).</li><li>**Mixed analysis detection**: Multiple filters contributed to the message verdict.</li><li>**spoof DMARC**: The message failed [DMARC authentication](email-authentication-dmarc-configure.md).</li><li>**Spoof external domain**: Sender email address spoofing using a domain that's external to your organization.</li><li>**Spoof intra-org**: Sender email address spoofing using a domain that's internal to your organization.</li><li>**URL detonation**: [Safe Links](safe-links-about.md) detected a malicious URL in the message during detonation analysis.</li<li>**URL detonation reputation**: URLs previously detected by [Safe Links](safe-links-about.md) detonations in other Microsoft 365 organizations.</li><li>**URL malicious reputation**: The message contains a URL that was previously identified as malicious in other Microsoft 365 organizations.</li></ul>|
 |Original delivery location|Select one or more values¹: <ul><li>**Deleted Items folder**</li><li>**Dropped**</li><li>**Failed**</li><li>**Inbox/folder**</li><li>**Junk folder**</li><li>**On-prem/external**</li><li>**Quarantine**</li><li>**Unknown**</li></ul>|
 |Latest delivery location|Same values as **Original delivery location**</li></ul>|
 |System overrides|Select one or more values¹: <ul><li>**Allowed by user policy**</li><li>**Blocked by user policy**</li><li>**Allowed by organization policy**</li><li>**Blocked by organization policy**</li><li>**File extension blocked by organization policy**</li><li>**None**</li></ul>|

defender-office-365/reports-email-security.md

@@ -489,6 +489,7 @@ In the **View data by Email \> Phish** and **Chart breakdown by Detection Techno
 - **Impersonation brand**: Sender impersonation of well-known brands.
 - **Impersonation domain**<sup>\*</sup>: Impersonation of sender domains that you own or specified for protection in [anti-phishing policies](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).
 - **Impersonation user**<sup>\*</sup>: Impersonation of protected senders that you specified in [anti-phishing policies](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) or learned through mailbox intelligence.
+- **LLM content analysis**: Analyis by Microsoft's purpose-built large language models to detect harmful email.
 - **Mailbox intelligence impersonation**<sup>\*</sup>: Impersonation detections from mailbox intelligence in [anti-phishing policies](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).
 - **Mixed analysis detection**: Multiple filters contributed to the message verdict.
 - **Spoof DMARC**: The message failed [DMARC authentication](email-authentication-dmarc-configure.md).
@@ -623,14 +624,14 @@ On the **Threat protection status** page, the :::image type="icon" source="media
 
 In the **View data by Email \> Malware** and **Chart breakdown by Detection Technology** view, the following information is shown in the chart:
 
+- **Anti-malware engine**<sup>\*</sup>: Detection from anti-malware.
+- **Campaign**<sup>\*</sup>: Messages identified as part of a [campaign](campaigns.md).
 - **File detonation**<sup>\*</sup>: [Safe Attachments](safe-attachments-about.md) detected a malicious attachment during detonation analysis.
 - **File detonation reputation**<sup>\*</sup>: File attachments previously detected by [Safe Attachments](safe-attachments-about.md) detonations in other Microsoft 365 organizations.
 - **File reputation**: The message contains a file that was previously identified as malicious in other Microsoft 365 organizations.
-- **Anti-malware engine**<sup>\*</sup>: Detection from anti-malware.
-- **URL malicious reputation**
 - **URL detonation**<sup>\*</sup>: [Safe Links](safe-links-about.md) detected a malicious URL in the message during detonation analysis.
 - **URL detonation reputation**<sup>\*</sup>: URLs previously detected by [Safe Links](safe-links-about.md) detonations in other Microsoft 365 organizations.
-- **Campaign**<sup>\*</sup>: Messages identified as part of a [campaign](campaigns.md).
+- **URL malicious reputation**
 
 <sup>\*</sup> Defender for Office 365 only
 

defender-office-365/step-by-step-guides/understand-detection-technology-in-email-entity.md

@@ -1,6 +1,6 @@
 ---
 title:       Understanding detection technology within the email entity page in Microsoft Defender for Office 365
-description: Guide to understanding the detection technology shown on the email entity page in Microsoft Defender for Office 365, what the detection technologies mean, how they're triggered, and how to resolve false positives (see the admin submission video).
+description: Guide to understanding the detection technology shown on the Email entity page in Microsoft Defender for Office 365. What the detection technologies mean, how they're triggered, and how to resolve false positives (see the admin submission video).
 author: chrisda
 ms.author: chrisda
 manager: deniseb
@@ -16,41 +16,43 @@ ms.collection:
 
 # Understanding detection technology in the email entity page of Microsoft Defender for Office 365
 
-If a threat is detected on the Microsoft Defender for Office 365 [*email entity page*](../mdo-email-entity-page.md), threat information will display on the left-hand flyout. This panel will also show you the **detection technology** that led to that verdict.
+If a threat is detected on the Microsoft Defender for Office 365 [*email entity page*](../mdo-email-entity-page.md), threat information displays on the left-hand flyout. This panel also shows you the **detection technology** that led to that verdict.
 
 This article is all about helping you **understand the different detection technologies**, how they work, and how to avoid any false alarms. Stay tuned for the Admin Submissions video at the end.
 
 ## Detection technology details table
 
-To resolve false positives like the ones listed in the table below, you should always start with an **admin submission**, which will also prompt you to add an entry into the Tenant Allow/Block List (TABL). This entry adds a temporary override signal to the filters that determined the message was *malicious*, while filters are updated (if that's appropriate). See the articles below for more information on Admin submissions & TABL.
+To resolve false positives like the ones listed in the following table, you should always start with an **admin submission**, which also prompts you to add an entry into the Tenant Allow/Block List. This entry adds a temporary override signal to the filters that determined the message was *malicious*, while filters are updated (if that's appropriate). See the following articles for more information on admin submissions and the Tenant Allow/Block List.
 
 - [Submissions: Report good email to Microsoft](../submissions-admin.md)
 - [Tenant Allow/Block List](../tenant-allow-block-list-about.md)
 
 |The Detection technology|How it reaches a verdict|Notes|
-| -------- | -------- | -------- |
-|Advanced filter|Machine learning models based detection on email & contents, to detect phish & spam|
-|Antimalware protection|Detection from signature based anti-malware||
-|Bulk|Detection for advertising / marketing and similar message types with their relative complaint levels|[Step-by-Step guide on how to tune bulk thresholds](tune-bulk-mail-filtering-walkthrough.md)|
-|Campaign|Messages identified and grouped as part of a malware or phish campaign|[Learn more about campaigns](track-and-respond-to-emerging-threats-with-campaigns.md)|
-|Domain reputation|The message was sent from a domain that was identified as spam or phish domain, based on internal or external signals||
-|File detonation|Safe Attachments detected a malicious attachment during detonation within a sandbox||
-|File detonation reputation|File attachments previously detected by Safe Attachments during detonation||
-|File reputation|The message contains a file that was previously identified as malicious by other sources||
-|Fingerprint matching|The message resembles a previously detected malicious or spam message||
-|General filter|Phishing or spam signals based on analyst heuristics||
-|Impersonation brand|Sender impersonation of well-known brands||
-|Impersonation domain|Impersonation of sender domains that you own or specified for protection in anti-phishing policies|[Impersonation insight overview](../anti-phishing-mdo-impersonation-insight.md)|
-|Impersonation user|Impersonation of protected senders that you specified in anti-phishing policies|[Impersonation insight overview](../anti-phishing-mdo-impersonation-insight.md)|
-|IP reputation|The message was sent from an IP that was identified as potentially malicious||
-|Mailbox intelligence impersonation|Sender detected as impersonating an address in the user's personal sender map|[Mailbox intelligence impersonation protection](../anti-phishing-policies-about.md)|
-|Mixed analysis detection|Multiple filters contributed to the verdict for this message||
-|Spoof DMARC|The message failed DMARC authentication|[How Microsoft 365 handles inbound email that fails DMARC](../email-authentication-dmarc-configure.md)|
-|Spoof external domain|Spoof intelligence detected email spoofing of a domain that is external to your organization||
-|Spoof intra-org|Spoof intelligence detected email spoofing of a user or domain that is internal to your organization||
-|URL detonation|Safe Links detected a malicious URL in the message during detonation within a sandbox||
-|URL detonation reputation|URLs previously detected by Safe Links during detonation||
-|URL malicious reputation|The message contains a URL that was previously identified as malicious or spam by other sources||
+|---|---|---|
+|Advanced filter|Machine learning models to detect phishing and spam.||
+|Antimalware protection|Detection from signature based anti-malware.||
+|Bulk|Detection for advertising/marketing and similar message types with their relative bulk complaint levels (BCL).|[Step-by-Step guide on how to tune bulk thresholds](tune-bulk-mail-filtering-walkthrough.md)|
+|Campaign|Messages identified and grouped as part of a malware or phishing campaign.|[Learn more about campaigns](track-and-respond-to-emerging-threats-with-campaigns.md)|
+|Domain reputation|The message was sent from a domain that was identified as spam or phishing domain, based on internal or external signals.||
+|File detonation|Safe Attachments detected a malicious attachment during detonation within a sandbox.||
+|File detonation reputation|File attachments previously detected by Safe Attachments during detonation.||
+|File reputation|The message contains a file that was previously identified as malicious by other sources.||
+|Fingerprint matching|The message resembles a previously detected malicious or spam message.||
+|General filter|Phishing or spam signals based on analyst heuristics.||
+|Impersonation brand|Sender impersonation of well-known brands.||
+|Impersonation domain|Impersonation of sender domains that you own or specified for protection in anti-phishing policies.|[Impersonation insight overview](../anti-phishing-mdo-impersonation-insight.md)|
+|Impersonation user|Impersonation of protected senders that you specified in anti-phishing policies.|[Impersonation insight overview](../anti-phishing-mdo-impersonation-insight.md)|
+|IP reputation|The message was sent from an IP that was identified as potentially malicious.||
+|LLM content analysis|Analysis by Microsoft's purpose-built large language models to detect harmful email.||
+|Mailbox intelligence impersonation|Sender detected as impersonating an address in the user's personal sender map.|[Mailbox intelligence impersonation protection](../anti-phishing-policies-about.md)|
+|Mixed analysis detection|Multiple filters contributed to the verdict for this message.||
+|Spoof DMARC|The message failed DMARC authentication.|[How Microsoft 365 handles inbound email that fails DMARC](../email-authentication-dmarc-configure.md)|
+|Spoof external domain|Spoof intelligence detected email spoofing of a domain that is external to your organization.||
+|Spoof intra-org|Spoof intelligence detected email spoofing of a user or domain that is internal to your organization.||
+|URL detonation|Safe Links detected a malicious URL in the message during detonation within a sandbox.||
+|URL detonation reputation|URLs previously detected by Safe Links during detonation.||
+|URL malicious reputation|The message contains a URL that was previously identified as malicious or spam by other sources.||
 
 ## Watch a video on submitting messages to Microsoft to learn more
+
 > [!VIDEO https://www.youtube.com/embed/ta5S09Yz6Ks]