Skip to main content
日本語 简体中文 繁體中文

[Cloud Protection] Consideration of Operational Policies

Target

  • Cloud Protection Administrators

Purpose

  • This document explains the items that administrators should consider in advance when a threat is detected in Cloud Protection.

Notes

  1. The content of this article is based on the product details as of July 2025 and may change without notice thereafter.

Types of Detectable Threats

Cloud Protection can monitor the following threats that may occur on Microsoft 365 in real-time and automatically respond when a threat is detected.

  1. Exchange Online
    ・Files containing malware (viruses, trojans, ransomware, etc.) attached to items on Exchange Online (※)
    ・Malicious URLs on Exchange Online items
    ・Leakage of Microsoft 365 accounts to third parties (account compromise)
    ・Malicious inbox rules
    ※ Microsoft Office 365 user mailbox items such as emails, attachments, calendar events, notes, contacts, groups, etc.
  2. SharePoint
    ・Files containing malware (viruses, trojans, ransomware, etc.) or malicious URLs uploaded to created sites
  3. OneDrive
    ・Files containing malware (viruses, trojans, ransomware, etc.) or malicious URLs uploaded
  4. Teams
    ・Files containing malware (viruses, trojans, ransomware, etc.) or malicious URLs uploaded

※ The files that can detect malicious URLs in SharePoint / OneDrive / Teams are as follows.

  • Microsoft Excel / Microsoft Word / Microsoft PowerPoint / PDF / OpenDocumentPresentation / OpenDocumentSpreadsheet / OpenDocumentText
  • Only hyperlinked URLs in PDF files are targeted.

Response to Threats

When a threat is detected, the following responses are possible.

Exchange Online

1. Malware files attached to Exchange Online items+

・Automatically delete the entire Exchange Online item or only the malware file 
・Automatically quarantine the entire Exchange Online item or only the malware file
・Take no action

Description:
If you choose to delete, the Exchange Online item or malware file cannot be restored and will be completely deleted.
If you choose to quarantine, the Exchange Online item or malware file will be temporarily hidden from Microsoft 365, preventing it from spreading to end-user devices.
Files in quarantine can be checked by administrators on the Cloud Protection management screen and can be restored (released) later.
When a quarantined item is released, it is restored to its original location and can be viewed and operated by users.
Even after a file is released, if it is detected again, it will be quarantined.

2. Malicious URLs on Exchange Online items+

・Automatically delete the Exchange Online item
・Automatically quarantine the Exchange Online item
・Change the subject and disable the URL link
・Take no action

Description:
If you choose to delete, the Exchange Online item cannot be restored and will be completely deleted.
If you choose to quarantine, the Exchange Online item will be temporarily hidden from Microsoft 365, preventing it from spreading to end-user devices.
Items in quarantine can be checked by administrators on the Cloud Protection management screen and can be restored (released) later.
When a quarantined item is released, it is restored to its original location and can be viewed and operated by users.

3. Malicious inbox rules+

・Detect suspicious rules in inbox rules

Description:
If suspicious inbox rules that perform actions such as moving, forwarding, or deleting emails are detected, notifications can be sent to administrators or users.

4. Compromised accounts+

・Detect if the connected Microsoft 365 account matches the leaked identifier

If a match between the connected Microsoft 365 account and the leaked identifier is detected, notifications can be sent to administrators or users.

5. Notification+

When any of the above processes are detected, you can define the notification destination.
・Email notification to users
・Email notification to administrator email addresses
・Perform both of the above actions

SharePoint

1. Malware files uploaded to SharePoint sites+

・Automatically quarantine malware files
・Automatically delete malware files
・Take no action

Description:
If you choose to delete, malware files uploaded to SharePoint sites cannot be restored and will be completely deleted.
If you choose to quarantine, malware files will be temporarily quarantined, preventing them from spreading to end-user devices.
Files in quarantine can be checked by administrators on the Cloud Protection management screen and can be restored (released) later.
When a quarantined item is released, it is restored to its original location and can be viewed and operated by users.
Furthermore, it will be recorded as a safe file within Cloud Protection, and even if the same file is uploaded again, it will be detected but not quarantined. (In Exchange protection, even a released file will be quarantined again if detected)
Also, this behavior cannot be reverted (to be quarantined again).
※ The quarantine method differs depending on the connection status with Teams.
・Team sites and communication sites not connected to Teams: Malware files will be temporarily hidden from Microsoft 365.
・Team sites not connected to Teams: Malware files will be moved to a quarantine area and replaced with a file appended with [HARMFUL_CONTENT_REMOVED].

2. Notification+

When any of the above processes are detected, you can define the notification destination.
・Email notification to administrator email addresses

OneDrive

1. Malware files uploaded to OneDrive+

・Automatically quarantine malware files
・Automatically delete malware files
・Take no action

Description:
If you choose to delete, malware files uploaded to OneDrive cannot be restored and will be completely deleted.
If you choose to quarantine, malware files will be temporarily hidden from Microsoft 365, preventing them from spreading to end-user devices.
Files in quarantine can be checked by administrators on the Cloud Protection management screen and can be restored (released) later.
When a quarantined item is released, it is restored to its original location and can be viewed and operated by users.
Furthermore, it will be recorded as a safe file within Cloud Protection, and even if the same file is uploaded again, it will be detected but not quarantined. (In Exchange protection, even a released file will be quarantined again if detected)
Also, this behavior cannot be reverted (to be quarantined again).

2. Notification+

When any of the above processes are detected, you can define the notification destination.
・Email notification to administrator email addresses

Teams

1. Malware files uploaded to Teams sites+

・Automatically quarantine malware files
・Automatically delete malware files
・Take no action

If you choose to delete, files containing malware uploaded to Teams cannot be restored and will be completely deleted.
If you choose to quarantine, malware files will be temporarily quarantined, preventing them from spreading to end-user devices.
※ The behavior during quarantine differs between Teams chat and Teams channels.
・Teams chat: Files remain visible in both the [Chat] tab and the [Shared] tab, while the main body is quarantined.
※ Please note that only PDF files can be previewed in chats with others.
・Teams channel: Files remain visible in the [Posts] tab, while the main body is quarantined.
In the [Files] tab, the file is replaced with one appended with [HARMFUL_CONTENT_REMOVED] and quarantined.
Files in quarantine can be checked by administrators on the Cloud Protection management screen and can be restored (released) later.
When a quarantined item is released, it is restored to its original location and can be viewed and operated by users.
Furthermore, it will be recorded as a safe file within Cloud Protection, and even if the same file is uploaded again, it will be detected but not quarantined. (In Exchange protection, even a released file will be quarantined again if detected)
Also, this behavior cannot be reverted (to be quarantined again).

2. Notification+

When any of the above processes are detected, you can define the notification destination.
・Email notification to administrators

Considerations for Policy Settings

In Cloud Protection, you can configure policy settings and start operations using the following three methods.

  • Set notifications only without taking any action
  • Protect only some users
  • Start detection/quarantine for all users

※ Please refer to the following for how to create a policy
Create a New Policy

▼ Set notifications only without taking any action+

Configure the following settings in the policy.

[Configuration Method]

Set the processing for malware scanning and URL scanning as follows.
Processing: Do nothing
Reference article: Create a New Policy

[Content]

In this setting, malware and malicious URLs, etc., will be detected, but no actual processing will be performed.
By checking the detection status, you can confirm the extent to which malware, etc., is detected within the company.
This allows you to consider the necessary workload for future operations.
Additionally, notifications can be sent to users as needed.
Since quarantine is not performed, it is easy to introduce, and this setting is recommended during initial setup.

▼ Connect only some users+

Specify the protected users for each service.
Reference article: Connection procedure for protected mailboxes

【How to Configure】

Select the target service (Exchange, SharePoint, etc.) from the cloud services.
Exchange: Select Customize mailbox protection
SharePoint / OneDrive / Teams: Turn off Automatically protect newly added SharePoint, Teams, and OneDrive assets

【Content】

In this setting, if quarantine, etc., is defined by policy, the behavior when quarantined and notification behavior can be deployed to only some users.
By narrowing down the target, you can consider creating manuals in line with actual operations and the timing of user awareness before full deployment.
Please verify the processes that can be defined by various policies and start operations gradually.

▼ Start applying to all users+

You can immediately deploy company-wide and start operations.
If quarantine processing is applied by policy, users' emails will be quarantined, so please be careful when starting operations.

【How to Configure】

Select the target service (Exchange, SharePoint, etc.) from the cloud services.
Exchange: Protect all mailboxes 
Please protect all other services.
Reference article: Connection procedure for protected mailboxes

【Content】

This setting applies to all users.
If you have set a quarantine policy, files will be quarantined.
If there are no concerns, you can immediately start security measures.

Reference

Response when a threat is detected
How to check details of detected threats
Checking the dashboard