Microsoft: Office 365 gets automated response to phishing, nasty links, malware

Enterprise Office 365 customers can now try Microsoft's automated incident response to thwart email attacks.
Written by Liam Tung, Contributing Writer on

Microsoft has made its Automated Incident Response in Office 365 Advanced Threat Protection (ATP) generally available to enterprise customers.

The automation feature, announced in preview earlier this April, aims to help security analysts respond faster and more systematically to a barrage of security alerts.   

SEE: 10 tips for new cybersecurity pros (free PDF)

Microsoft is making two categories of automated incident response generally available. The first are automatic investigations that commence in response to new alerts, such as users reporting phishing email, users clicking on a link determined to be malicious, malware being detected in received email, and phishing email that has landed in a user's mailbox. 

The second category consists of manually initiated investigations that use Microsoft's 'automated playbook' sequences for different scenarios and attack types. 

For example, one playbook helps security analysts respond to user reports of phishing email, while the 'weaponized URL playbook' assists in the response to a URL found to be malicious. Security analysts can launch these investigations through Microsoft's Threat Explorer tool. 

The playbooks "correlate similar emails sent or received within the organization and any suspicious activities for relevant users". The playbooks also flag suspicious activities on user accounts, such as mail forwarding, mail delegation, Office 365 Data Loss Prevention (DLP) violations, or suspicious email sending patterns.

Overall, the playbooks aim to help analysts quickly contain a threat, for example, by locking down accounts and devices as well as requiring multi-factor authentication, and ultimately removing the threat. 

The investigation dashboard provides details about the investigation number, the time it started and ended, pending actions required, as well as users, devices and emails investigated.   

READ MORE: Microsoft is offering a 'free' Windows 7 extended security update to some business users

The automated incident response features are available to organizations with the Office 365 ATP Plan 2, which costs $5 per user a month, as well as Office 365 Enterprise E5 tier, which costs $35 per user a month. 

Both require contracts of one year. It is also available in the Microsoft 365 E5 Security bundle. 


Email messages containing malware removed after a delivery alert trigger an investigation into similar emails and related user actions in Office 365.

Image: Microsoft
Editorial standards