Forum Discussion
Attack Simulation - Copy to SOC Mailbox
Hello Community!
Currently we are using Knowbe4 to simulate phishing campaigns. We are evaluating the Microsoft E5 Attack simulation. One problem that I cannot figure out with the MSFT version is as follows:
I have the SOC mailbox setup to send phishing emails to a shared mailbox for triage (I have it setup to not forward to Microsoft)
When I create an attack simulation, and folks report the phish, I still get a copy of it in the phishing mailbox (I send these out monthly to thousands of people so I would prefer not to have a copy)
I have looked at the email headers, and there is nothing in them that I can create a custom rule for.
Has anyone been able to filter out attack simulation emails, while still receiving normal user reported emails in the SOC mailbox?
Any advice appreciated.
Em
I couldn't deep dive though, check headers in email persists like below.
X-MS-Exchange-Organization-SCL , X-Microsoft-Antispam
You could insert a special character in the attack simulation into the body of the email so that your custom rule could then fire. https://learn.microsoft.com/en-us/defender-office-365/attack-simulation-training-payloads#modify-payloads
Hi Joe,
I think that's what I'm going to have to end up doing, I was trying to avoid editing the hundreds of payloads :)
Thanks for your reply,
Em
