Forum Discussion
Solved
How to quickly react to a user reported phishing e-mail?
When a user reports an e-mail as phishing I receive an alert notification, which leads me to the Incident page in Microsoft 365. - How can I find similar e-mails on that page in case any other us...
- The three variables I would look for are sender domain, subject and payload URL. If anyone knows a good way to track a common attachment, I would be interested, bearing in mind that I do not use the Defender endpoint and only use Defender for O365.
The Threat Management \ Explorer screen in the Security & Compliance portal can do most of that. Set it for All Mails and then add in the criteria, bearing in mind that some of them are a long way down that list. You can get a bit more flexibility from Hunting \ Advanced Hunting which is now available on the Security portal, but you would have to learn a bit of KQL or ask for queries in these groups.
If you do not have Defender for O365 or equivalent then in the Security & Compliance portal you have Mail Flow \ Message Trace, which will accept wild cards such as *@example.com in the By These People sender field.
Any of these simple traces can be tests for malignancy in itself if you are unsure if a sighting is malign or not.
As far as I am aware, Threat Explorer and Advanced Hunting are both "near real-time" so neither has any advantage in speed over the other. "Sender Domain" means a full right-hand side match, so if your attacker is morphing on subdomains or you just want to know how much rubbish you are getting from a given junk registry's customers then you need KQL to query the partial namespace. I do not know what is possible with automation. Finally, there are third-party products that will connect to your tenancy and automatically take action if they see mail that breaks their threat detection rules.
- Advanced Hunting seems to be the way to go when you want to be fast. Is it possible to issue a Soft or Hard Delete from Advanced Hunting?
