Skip to content

Investigations

This page is similar to the action center you can access on the Review page but only contains AIR items. In MDO, currently AIR is only automated investigation, the response is still a manual process however some initial automations are coming to MDO to handle soft deletion responses.

  • Soft deletion of email entity/cluster
  • Block URL
  • Turn of external mail forwarding
  • Turn of delegation

The suggested response will depend on the threat, Microsoft lists a comprehensive list of threats and possible responses here.

Possible ways AIR can happen

There are a few ways AIR can start on an email message.

  • An admin triggers it from the email entity by selecting automated investigation.
  • An email alert triggers one
  • An end-user submits an email as phishing
    • End-users who submit messages as phishing or spam can receive the verdict of their messages if configured