Posted in

Microsoft Defender for Office 365 Launches Auto-Remediation in Automated Investigation and Response to Enhance Email Security

by ailona

Microsoft Defender for Office 365 now offers GA release of auto-remediation in Automated Investigation and Response (AIR). This feature automatically detects, clusters, and removes malicious messages at machine speed, streamlining SOC workflows and enhancing security by eliminating the need for manual approvals. Unique :

Microsoft Defender for Office 365: Auto-Remediation Goes GA

Microsoft has officially launched the General Availability (GA) of auto-remediation for malicious messages in Automated Investigation and Response (AIR). This update marks a significant leap in email security automation, designed to help Security Operations Centers (SOC) work smarter, not harder.

What’s New with Auto-Remediation in AIR?

The latest enhancement enables AIR to not only detect and investigate threats but also automatically remediate malicious emails without waiting for SOC approval. This means threats are removed at machine speed, drastically reducing response times.

“With this enhancement, customers will be able to configure AIR to automatically execute remediations for messages within malicious entity clusters.” – Microsoft Defender Team

AIR now clusters malicious files or URLs found in emails and groups all related messages. If any of these messages reside in user mailboxes, AIR triggers remediation actions instantly, provided auto-remediation is enabled in settings.

Major Updates: Configuration and Control

Auto-remediation isn’t turned on by default. Admins must enable it via Settings > Email & Collaboration > MDO automation settings. Here, organizations can specify whether to auto-remediate clusters based on similar malicious files or URLs.

Currently, the only supported remediation action is soft delete, which safely removes the malicious message without permanent deletion. This cautious approach helps maintain control while automating threat removal.

Visibility and Oversight

All automated actions are logged and visible across multiple Defender portals, including Investigation, Action Center, Threat Explorer, and Advanced Hunting. This transparency ensures SOC teams can audit and, if necessary, restore messages.

“If customers disagree with the action executed, the ability to move the messages back to mailboxes is available.” – Microsoft Defender Team

Why This Matters for SOC Teams

By automating end-to-end threat response, AIR reduces manual workloads and accelerates remediation. SOC teams can focus on complex threats while routine malicious messages get handled automatically.

In a world where phishing and malware attacks evolve rapidly, this update helps organizations stay ahead by removing threats faster and more efficiently.

Learn More and Get Involved

Microsoft invites security professionals to join a deep dive webinar on June 25, 2025, to explore these updates and how AIR can optimize SOC operations. For detailed documentation, visit the official Microsoft Defender for Office 365 learning pages.

Stay tuned and keep your defenses sharp with Microsoft’s latest advancements in automated email threat remediation.

  • AIR clusters malicious files and URLs to group related threat messages for efficient handling.
  • Auto-remediation is configurable via MDO automation settings, allowing organizations to opt-in selectively.
  • Currently, soft delete is the supported remediation action executed automatically by AIR.
  • Remediation actions are logged and visible in Defender portal tools like Threat Explorer and Advanced Hunting.
  • Users can reverse auto-remediation actions if needed, providing flexibility and control over message handling.

    • From the New blog articles in Microsoft Community Hub