Forum Discussion
Solved
How to quickly react to a user reported phishing e-mail?
When a user reports an e-mail as phishing I receive an alert notification, which leads me to the Incident page in Microsoft 365. - How can I find similar e-mails on that page in case any other us...
- The three variables I would look for are sender domain, subject and payload URL. If anyone knows a good way to track a common attachment, I would be interested, bearing in mind that I do not use the Defender endpoint and only use Defender for O365.
The Threat Management \ Explorer screen in the Security & Compliance portal can do most of that. Set it for All Mails and then add in the criteria, bearing in mind that some of them are a long way down that list. You can get a bit more flexibility from Hunting \ Advanced Hunting which is now available on the Security portal, but you would have to learn a bit of KQL or ask for queries in these groups.
If you do not have Defender for O365 or equivalent then in the Security & Compliance portal you have Mail Flow \ Message Trace, which will accept wild cards such as *@example.com in the By These People sender field.
Any of these simple traces can be tests for malignancy in itself if you are unsure if a sighting is malign or not.
As far as I am aware, Threat Explorer and Advanced Hunting are both "near real-time" so neither has any advantage in speed over the other. "Sender Domain" means a full right-hand side match, so if your attacker is morphing on subdomains or you just want to know how much rubbish you are getting from a given junk registry's customers then you need KQL to query the partial namespace. I do not know what is possible with automation. Finally, there are third-party products that will connect to your tenancy and automatically take action if they see mail that breaks their threat detection rules.
Advanced Hunting seems to be the way to go when you want to be fast. Is it possible to issue a Soft or Hard Delete from Advanced Hunting?