I've set up Microsoft Defender's Anti-Phishing and Spam policies, and now I'm bombarded with over 150 notifications each day about incoming emails being quarantined because they're flagged as malicious. I can't afford to manually check them all for false positives, and though I'm doing some spot checking, I'm sure I'm missing many. How do you manage this issue, especially with AI-generated emails becoming more common? Any strategies or tools to help reduce the noise would be appreciated!
4 Answers
I manage around 100 a day manually and find that sorting emails by sender helps. Keeping a block list for known spammers cuts down on the noise significantly. You definitely want to stay engaged with this to ensure users are protected from phishing.
You might want to automate the process! Using a tool like Python along with an AI system could help. For instance, you could pull the raw email data and run it through a prompt asking whether it’s junk, authentic, or phishing. Then, based on the response, you can decide to release, block, or send it for phishing training. It'll make your life a lot easier and look good on your reports too!
Honestly, you can't manage all of them yourself. It's best to let end users check their own quarantines. They can decide what's important or not, while you focus on bigger issues.
I totally get that, but still, if users need help, they should reach out to IT. It's tough to manage this all by yourself.
A simpler approach might be letting the quarantine act as a deletion point. If a user ever inquires about a missing email, then you can look it up. Instruct users not to trust emails about missing messages either, since those emails can often be phishing attempts.
Exactly! Plus, keep in mind that Microsoft filters out emails it identifies as high confidence phishing, so those won't even show up in quarantine.
Agreed! But I feel you on having to hold users' hands sometimes. Not everyone is savvy enough to determine if an email is real or not.