In Defender for Office Automated Investigation and Response (AIR) is important. Microsoft has improved the features surrounding Auto-Remediation of Malicious Messages in the Automated Investigation and Response (AIR) capability over the past months, aiming to avoid manual actions when malicious content is detected.
Around May 2025, Microsoft announced a new feature of auto-remediation of malicious messages through automated investigation and response (AIR). With the new feature, Microsoft is expanding the tool and delivering more automation as a native part of the product. AIR now automatically triages, investigates, remediates, and responds to high-impact alerts without requiring SOC team approval.
AIR forms clusters around malicious files or URLs and remediates all related messages automatically if configured. This means it will automatically remove and remediate similar clustered files and messages.
What is Automated Investigation and Response (AIR)
Automated investigation and response (AIR) is part of Defender for Office Plan 2/ Microsoft E5 and is a powerful automated investigation and response capability. AIR triages high-impact, high-volume alerts by completing organization-level investigations. AIR investigations expand on detections or provide additional analysis to determine the threat status for the organization. How works the AIR flow?
After an alert is triggered, in some cases, the playbooks start an automated investigation. In the following situation, the Automated investigation will start automatically:
Step 1: Specific alerts that are designed to initiate AIR. These alerts include:
- Something suspicious is identified in an email (for example, the message itself, an attachment, a URL, or a compromised user account).
- Zero-hour auto purge (ZAP).
- User submissions.
- User click alerts.
- Suspicious mailbox behavior.
Of course, the analyst can manually trigger the Automated Investigation via Defender XDR, this is possible from the email entity, Advanced Hunting, and Custom Detection in more places where the actions are visible.
Step 2: The automated investigation evaluates and analyzes the nature of the alert, the message involved, and additional evidence surrounding the message. The scope of the investigation can increase based on the evidence that’s uncovered and collected during the investigation.
Step 3: During and after an automated investigation, details and results are available
Step 4: The Analyst can review the results and perform the recommended actions to remediate threats. More on this later, since this step is improved with fewer manual actions for the secops team and more automated responses based on findings and malicious content.
More AIR information: Automated investigation and response (AIR) in Microsoft Defender for Office 365 Plan 2
Malicious content
Now that we know how AIR is working, more on the malicious content response. Previously, the actions were manual, and AIR actions were needed to remediate them. Microsoft released a new enhancement where customers are able to configure AIR to automatically execute remediations for messages with malicious clusters (more on this later). This saves the SOC teams time and removes the need to approve all of the actions in the action center of MDO/ Defender XDR.
Ok, what is the default?
By default, remediation actions identified by automated investigation and response (AIR) in Microsoft Defender for Office 365 Plan 2 require approval by manual clicks. This means that each investigation needs to be approved manually.
Malicious Clusters?
Malicious Clusters is maybe a new term, all it is simple. When AIR recognizes a malicious file or URL, it creates a cluster around the malicious file or URL. This will group all messages that contain that file or URL into a cluster. So, in short, the cluster holds all messages with the related file or URL, which is classified as part of the AIR process. The automated investigation then checks the location of the messages within the cluster, and if it finds messages within the user’s mailboxes, AIR will produce a remediation action.
Auto-Remediation
As already mentioned, without any configuration, the investigations need to be reviewed manually in the portal of Defender XDR. With the newly released feature, it is possible to configure the auto-remediation.
If for the cluster type, the automation is configured to auto-remediate, the action will automatically be executed without any approval; this will mean that all threats will be removed from the specific cluster with emails.
New is the automated remediation of threats. With this enhancement, customers will be able to configure AIR to automatically execute remediations for messages within malicious entity clusters, which means it will save manual time to investigate by SOC teams and remove the need for SOC teams to approve all of those messages
Good to know is that Microsoft doesn’t automatically remediate for clusters larger than 10.000 messages. For clusters larger than 10,000 messages, the remediation will show a pending action in the action center.
Configuration of auto-remediation
Auto-remediated clusters can be configured via the Defender XDR portal. Good to know – is that this feature is not enabled by default and needs to be configured via the portal of Defender XDR. Each cluster can be configured. Currently, the following clusters are available:
- Similar files
- Similar URLs
Via AIR there will be a remediation action launched – if the customer has configured the cluster type to auto-remediate, this action will automatically be executed without the need for SecOps approval. Which means less time in remediating the soft deleted mails and manual work.
Configuration is easy, go to: Defender XDR > Settings > Email & Collaboration > MDO automation settings the setting can be configured for the above cluster types. Currently, the only available remediation action is the Soft Delete action.
Review automated actions
All automated actions will be available in the Action Center of Defender XDR. Without the automation settings, all actions will be available in the pending tab. Automatically remediated clusters appear on the History tab. Automated actions will be included in the decision with Approved
Status completed means; the action type; soft delete emails is completed and approved automatically. Below example is completed by automation:
Threat explorer
The Threat Explorer can be used to review the automated emails. Automatically remediated messages have the Additional action value Automated remediation. All e-mails with the automated value are automatically solved.
Advanced Hunting
In Advanced hunting, automatically remediated messages are in the EmailPostDeliveryEvents table. Important is the data:
ActionTypeequals Automated RemediationActionTriggerequals Automation.
Example KQL query:
EmailPostDeliveryEvents
| where ActionType == "Automated Remediation" and ActionTrigger == "Automation"Sources
Microsoft: Auto-Remediation of Malicious Messages in Automated Investigation and Response (AIR) is GA
Microsoft: Automated remediation in Automated investigation and response (AIR)
4 Comments
Leave a Reply
I’m wondering about ‘quarantine’ action – I see sometime in threat explorer that latest delivery location is quarantine and it is because of zer hour auto purge. Is it the same mechanism or something different? Is it really in quarantine or it requires approval if MDO automation settings are not on?
It is using the same AIR mechanism. MDO automation is launching the action (Quarantine) automatically without the need to approve from the action centre in Defender.
but MDO automation is off in this case but still the e-mail land in quarantine so I’m wondering if there is any other mechanism
The mechanism is the same – only different is that the automation settings is performing the action automatically.