Forum Discussion
Sentinel - Phishing automation
Hello, I would like to know how to process an automation related to phishing. When a user marks an email as phishing or spam, it should be automatically verified. If it is phishing, it will perform a query to check if it has reached other inboxes, and if so, delete those as well. If, after analysis, no malicious indications are found, the email should be placed back in the user's inbox. Can anyone give me some tips? Thank you.
- When investigating phishing emails, manual analysis is necessary because some of these emails contain sophisticated URLs that can bypass security filters. Once a phishing email is identified, Azure Logic Apps can be leveraged to check whether the email has been delivered to other users. If so, the app can be used to automatically delete the emails from their inboxes. This would require a more complex Azure Logic App, involving integration between Logic Apps and Microsoft Defender for Office 365, and potentially utilizing advanced threat hunting KQL queries within the workflow.
- Hi,
Many thanks for the explanation.
I was thinking of something like: if it's the user who indicates that it is phishing, that somehow it would go to an OSINT platform (virustotal, abuseip, etc.) and check the indicators of compromise. In case the evaluation is positive, they would be removed, and if they are benign, the action would be to return them to the inbox. Something that would work based on the score of the analysis
