Skip to content

Microsoft 365 detection and remediation

Microsoft 365 provides partial coverage for malware detection, which is performed periodically via offline scans (15+ minutes after download). After a malicious file has been identified, it becomes unshareable and the OneDrive user interface displays a warning that it cannot be shared.

There are file types that Microsoft 365 does not detect. Coro detects malware in these files as soon as they are uploaded from an external source or the user's device to cloud storage.

After Coro moves the file to the Suspected folder, a ticket is created. The admin user has the following remediation options available:

  • The respective file can be approved, and if approved, it is returned to its original location on the cloud drive.
  • The files can be deleted, effectively putting them on a block list for the entire organization. In such a case, the specified file will be removed from the Suspected folder. File deletion is currently not available via a Microsoft API.
  • The files can be moved to the trash. Files in the trash are kept up to 30 days.

Using Coro to suspend a compromised Microsoft 365 user account immediately prevents anyone from logging in with those account credentials. If suspension is triggered while the user account is currently logged-in, be aware it can take Microsoft up to 60 minutes to enact the suspension, after which the user is automatically logged out