This admin procedure will provide background information on how to block an internal user that is sending malicious emails to partner organizations.
This article is intended for employees of organizations that use Sittadel's security. Additionally, there are some actions that can only be accomplished by those with administrative privileges.
Block List
The Tenant Allow/Block List in the Microsoft 365 Defender portal gives you a way to manually override Threat Policy verdicts. In the case of creating a blacklist entry, if any item is detected that matches the criteria of the entry it will be blocked outright before any threat policy analyzing takes place.
Procedure Scope: Administrators
Required Group Membership: Admin.EmailSecurity
Blacklisting a Held Outbound Email
- Navigate to Email Quarantine – O365 Defender, locate the held email that includes the internal user you wish to blacklist. Selecting the email will generate a pop-up that will have all the details of the hold, select the Three Dots followed by Block Sender. If this mail is coming from an internal user but is being flagged for malicious intent for an external partner organization, it would be best to add a temporary ban until the emailing issue can be resolved.
- A confirmation pop-up will be displayed detailing the process of adding a domain to a blocked list and how their messages will be handled moving forward. Select Block to finalize the Blacklisting process.
You're Finished!
You should have successfully blacklisted the internal user from sending mail until a remediation process can be deployed. For any other problems or questions, reach out to us!