Microsoft Defender for Office 365: Auto-remediation of malicious URL and file clusters identified through AIR (preview)

Microsoft Defender for Office 365 will soon offer auto-remediation for malicious URL and file clusters identified through AIR. Admins must enable this feature in the new MDO automation settings page. Public preview starts early May 2025, with general availability by early June 2025. Auto-remediation will be off by default.

Coming soon: The automated investigation and response (AIR) capability in Microsoft Defender for Office 365 (MDO) will allow admins to configure auto-remediation of malicious entity clusters (for URL clusters and file clusters) identified by AIR. Auto-remediation expands on the existing capability provided through AIR by equipping customers to further expedite remediations through automation, to increase protection and reduce SOC workload. Auto-remediation will not be on by default and admins desiring to use the new automation will need to turn on auto-remediation for each cluster type in the new MDO automation settings page in Defender.

This message is associated with Microsoft 365 Roadmap ID 186576.

[When this will happen:]

Public Preview: We will begin rolling out early May 2025 and expect to complete by mid-May 2025.

General Availability (Worldwide): We will begin rolling out mid-May 2025 and expect to complete by early June 2025.

[How this will affect your organization:]

After this rollout, admins will have a new MDO automation settings page in the Defender portal in Settings > Email & collaboration > MDO automation settings where you can turn on auto-remediation for malicious URL clusters and file clusters identified through MDO AIR:

After you have enabled the new feature, AIR will automatically execute the soft deletion of messages identified in malicious URL clusters and file clusters that remain in mailboxes.

Auto-remediated clusters will appear directly in Action center history for review. Also, messages remediated through AIR auto-remediation will be designated as attributed to automation in Explorer, in Advanced hunting and on the email entity page.

[What you need to do to prepare:]

Auto-remediation will be off by default. If desired, turn on as described in this message.

This rollout will happen automatically by the specified dates with no admin action required before the rollout.

Learn more: Automated remediation in AIR - Microsoft Defender for Office 365 | Microsoft Learn.