Microsoft Defender for Office 365 now offers GA release of auto-remediation in Automated Investigation and Response (AIR). This feature automatically detects, clusters, and removes malicious messages at machine speed, streamlining SOC workflows and enhancing security by eliminating the need for manual approvals. Unique :
Microsoft Defender for Office 365: Auto-Remediation Goes GA
Microsoft has officially launched the General Availability (GA) of auto-remediation for malicious messages in Automated Investigation and Response (AIR). This update marks a significant leap in email security automation, designed to help Security Operations Centers (SOC) work smarter, not harder.
What’s New with Auto-Remediation in AIR?
The latest enhancement enables AIR to not only detect and investigate threats but also automatically remediate malicious emails without waiting for SOC approval. This means threats are removed at machine speed, drastically reducing response times.
“With this enhancement, customers will be able to configure AIR to automatically execute remediations for messages within malicious entity clusters.” – Microsoft Defender Team
AIR now clusters malicious files or URLs found in emails and groups all related messages. If any of these messages reside in user mailboxes, AIR triggers remediation actions instantly, provided auto-remediation is enabled in settings.
Major Updates: Configuration and Control
Auto-remediation isn’t turned on by default. Admins must enable it via Settings > Email & Collaboration > MDO automation settings. Here, organizations can specify whether to auto-remediate clusters based on similar malicious files or URLs.
Currently, the only supported remediation action is soft delete, which safely removes the malicious message without permanent deletion. This cautious approach helps maintain control while automating threat removal.
Visibility and Oversight
All automated actions are logged and visible across multiple Defender portals, including Investigation, Action Center, Threat Explorer, and Advanced Hunting. This transparency ensures SOC teams can audit and, if necessary, restore messages.
“If customers disagree with the action executed, the ability to move the messages back to mailboxes is available.” – Microsoft Defender Team
Why This Matters for SOC Teams
By automating end-to-end threat response, AIR reduces manual workloads and accelerates remediation. SOC teams can focus on complex threats while routine malicious messages get handled automatically.
In a world where phishing and malware attacks evolve rapidly, this update helps organizations stay ahead by removing threats faster and more efficiently.
Learn More and Get Involved
Microsoft invites security professionals to join a deep dive webinar on June 25, 2025, to explore these updates and how AIR can optimize SOC operations. For detailed documentation, visit the official Microsoft Defender for Office 365 learning pages.
Stay tuned and keep your defenses sharp with Microsoft’s latest advancements in automated email threat remediation.
From the New blog articles in Microsoft Community Hub
Windows Server Devices Now Recognized as a New OS in Intune Microsoft has announced that Windows Server devices are Read more
Microsoft Power Platform is leading the way in AI-generated low-code app development. With the help of AI, users can quickly Read more
Microsoft Intune is an enterprise mobility management platform that helps organizations manage mobile devices, applications, and data. The October edition Read more
Microsoft Intune has released its November edition, featuring new updates to help IT admins better manage their organization’s mobile devices. Read more
