Back to Resources
Article6th March, 2026

Phishing Response Automation for Microsoft 365: Remove Malicious Email Org-Wide

A single phishing email can compromise your entire organization in minutes. Manual investigation and removal takes hours. Here's how to automate phishing response to purge malicious emails org-wide in seconds.

The Phishing Response Time Problem

When a phishing campaign targets your organization, the same malicious email often lands in dozens or hundreds of mailboxes simultaneously. The manual response workflow looks like this:

Typical Manual Phishing Response Timeline

  • T+0User reports suspicious email
  • T+15mSOC analyst reviews the report
  • T+30mAnalyst confirms malicious intent, opens Threat Explorer
  • T+45mAnalyst searches for all recipients of the email
  • T+60mAnalyst initiates soft delete across all mailboxes
  • T+90mAnalyst blocks sender/URL at the tenant level

Total time: 90+ minutes. By then, 10-15% of users may have already clicked.

Research shows the median time for a user to click a phishing link is under 60 seconds after opening the email. If your response takes 90 minutes, you've already lost the race.

Microsoft 365 Native Phishing Response Options

Microsoft Defender for Office 365 provides several built-in capabilities for phishing response. Here's what each does and where it falls short:

Zero-Hour Auto Purge (ZAP)

ZAP automatically removes emails from mailboxes after delivery if Microsoft's filters later determine the message is malicious.

Strengths

  • • Fully automatic, no analyst action needed
  • • Works retroactively on delivered mail
  • • Covers spam, phishing, and malware

Limitations

  • • Only triggers when Microsoft updates verdicts
  • • Delays can range from minutes to hours
  • • Won't catch zero-day or targeted attacks

Threat Explorer Manual Purge

Threat Explorer allows analysts to search for emails by sender, subject, URL, or attachment hash and take bulk remediation actions.

Strengths

  • • Flexible search across all mailboxes
  • • Bulk delete up to 200K messages
  • • Can block sender/URL/file at tenant level

Limitations

  • • Requires manual analyst intervention
  • • Search and select process is slow
  • • No API automation out-of-the-box

Automated Investigation and Response (AIR)

AIR automatically investigates alerts and can take remediation actions, including email purge, based on its findings.

Strengths

  • • Investigates alerts automatically
  • • Can auto-remediate with approval or without
  • • Built into Defender for Office 365 Plan 2

Limitations

  • • Limited to Microsoft's detection triggers
  • • Can't incorporate external threat intel
  • • Approval workflow adds delay

The Automated Phishing Response Playbook

To achieve sub-minute phishing response, you need to orchestrate multiple Microsoft 365 APIs into a single automated workflow. Here's the complete playbook:

Org-Wide Phishing Purge Playbook

Step 1: Trigger Detection

The playbook can be triggered by multiple sources:

  • • User-reported phishing via Outlook add-in
  • • Microsoft Defender alert (high confidence phishing)
  • • External threat intelligence feed match
  • • SOC analyst manual trigger with IOCs

Step 2: Extract Indicators of Compromise

Automatically extract searchable IOCs from the reported email:

  • • Sender address and sending infrastructure
  • • Subject line (exact and fuzzy match)
  • • URLs in body and attachments
  • • Attachment hashes (SHA256)
  • • Message-ID and Internet headers

Step 3: Scope the Blast Radius

Query Microsoft Graph to find all affected mailboxes:

POST /security/threatSubmission/emailThreats
{
  "category": "phishing",
  "recipientEmailAddress": "*",
  "senderEmailAddress": "attacker@malicious.com",
  "subject": "Urgent: Invoice Payment Required"
}

This returns a count and list of all mailboxes containing matching messages.

Step 4: Execute Org-Wide Purge

Use the Microsoft Graph Security API to soft-delete all matching emails:

POST /security/collaboration/emailPurge
{
  "query": {
    "senderAddress": "attacker@malicious.com",
    "subject": "Urgent: Invoice Payment Required"
  },
  "purgeType": "softDelete",
  "purgeAreas": ["mailboxes", "teamsMessages"]
}

Soft delete moves emails to Recoverable Items (reversible for 14 days). Use hard delete only for confirmed malware.

Step 5: Block Future Delivery

Prevent the same attack from recurring:

  • • Add sender domain to Tenant Block List
  • • Add malicious URLs to URL Block List
  • • Add attachment hashes to File Block List
  • • Submit IOCs to Microsoft for global protection

Step 6: Notify and Document

Close the loop with affected users and stakeholders:

  • • Send automated notification to affected users
  • • Log all actions to SIEM with timestamps
  • • Create incident ticket with full timeline
  • • Flag any users who clicked for additional monitoring

Automated Response Time

With full automation, this entire playbook executes in 30-60 seconds from trigger to complete purge. Compare that to 90+ minutes for manual response.

Automation vs. Approval: Decision Matrix

Not every phishing email should trigger fully automated purge. Use this matrix to decide when to auto-execute vs. require human approval:

ScenarioConfidenceAction
Microsoft Defender high-confidence phishing + known bad URLVery HighFull auto-purge
External threat intel match (known campaign IOCs)HighFull auto-purge
Multiple user reports of same email (3+)HighFull auto-purge
Single user report, no matching threat intelMediumAuto-quarantine, require approval for purge
Defender medium-confidence, internal sender spoofedMediumAuto-quarantine, require approval for purge
Newly registered domain, no threat intelLowFlag for analyst review only

Guardrails for Automated Email Purge

Automated email deletion is powerful but risky. Implement these guardrails to prevent accidental business disruption:

Scope Limits

  • • Max 500 mailboxes per auto-purge action
  • • Above 500: require human approval
  • • Never auto-purge executive mailboxes
  • • Exclude shared/service mailboxes by default

Rate Limits

  • • Max 3 org-wide purges per hour
  • • Cooldown period between purges: 10 min
  • • Daily cap: 10 total auto-purge operations
  • • Alert SOC if limits approached

Soft Delete First

  • • Always use soft delete for phishing
  • • Hard delete only for confirmed malware
  • • Maintain 14-day recovery window
  • • Log all purge actions for audit

Validation Checks

  • • Verify sender isn't on trusted list
  • • Check domain age (new = higher risk)
  • • Cross-reference with user's recent contacts
  • • Require 2+ IOC matches for auto-action

Measuring Phishing Response Success

Track these metrics to demonstrate ROI and continuously improve your automated phishing response:

Speed Metrics

  • Time to Detect: Report/alert to triage start
  • Time to Contain: Triage start to purge complete
  • Time to Block: Purge to tenant block in place
  • Total MTTR: End-to-end response time

Effectiveness Metrics

  • Click Rate: % of recipients who clicked before purge
  • Credential Exposure: Users who entered creds
  • False Positive Rate: Legitimate emails purged
  • Coverage: % of phishing caught by automation

How BitLyft AIR® Automates Phishing Response

BitLyft AIR® integrates directly with Microsoft 365 to provide turnkey phishing response automation:

  • One-Click Org-Wide Purge: Pre-built playbook searches all mailboxes and executes purge via Graph API in under 60 seconds
  • Multi-Source Triggers: Triggers from Defender alerts, user reports, or external threat intel feeds
  • Built-In Guardrails: Configurable scope limits, rate limits, VIP exclusions, and approval workflows
  • Automatic Blocking: Adds sender, URL, and file hashes to Tenant Block Lists automatically
  • User Notification: Sends customizable notifications to affected users explaining the removed threat

Frequently Asked Questions

Can automated purge delete legitimate emails by mistake?

Yes, which is why guardrails are critical. Always use soft delete (recoverable for 14 days), set scope limits, and require approval for large-scale purges. Monitor false positive rates and tune detection thresholds accordingly.

What Microsoft 365 license is required for automated purge?

Full automation via Graph API requires Microsoft Defender for Office 365 Plan 2 (included in Microsoft 365 E5) or the standalone add-on. Plan 1 provides manual Threat Explorer but lacks API access for automation.

How do we handle phishing in Microsoft Teams messages?

The same Graph API purge endpoint supports Teams messages. Set "purgeAreas" to include "teamsMessages" to remove malicious links from both email and Teams simultaneously.

Should we notify users when we remove a phishing email?

Yes. User notification serves two purposes: it explains why an expected email disappeared, and it reinforces security awareness by showing the system protected them. Keep notifications brief and non-alarming.

Stop Phishing in Seconds, Not Hours

See how BitLyft AIR® automates phishing response for Microsoft 365 environments with built-in guardrails and one-click org-wide purge.

Request a Demo