cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Mark a URL as malicious in Microsoft 365 Defender

Kiril
Iron Contributor

‎Dec 13 2022 09:31 AM

‎Dec 13 2022 09:31 AM

Mark a URL as malicious in Microsoft 365 Defender

Our tenant received phishing mails a few days ago from an external hacked email account with good reputation. Emails went through, and contained a link to a phishing site.

 

Now that I know the URL from the mail is malicious, how can I tell Microsoft 365 Defender retroactively about it?

 

Is there any other action I should take, e.g. check Advanced Hunting or check any other logs for that malicious URL or even the malicious sender?

 

 

4,300 Views
0 Likes
4 Replies
Reply
4 Replies
R_Gijsbers_Rademakers

‎Dec 13 2022 12:47 PM

‎Dec 13 2022 12:47 PM

Re: Mark a URL as malicious in Microsoft 365 Defender

Hi @Kiril, if you have the right license, you could use the safe links configuration to block the url as described here: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-about?view=o...

Another option would be via the threat explorer on https://security.microsoft.com. Search for the email and open the email entity. From the URL tab, you can select the malicious URL and block it from there. Br, Ruud
1 Like
Reply
Kiril

‎Dec 15 2022 12:56 AM

‎Dec 15 2022 12:56 AM

Re: Mark a URL as malicious in Microsoft 365 Defender

@R_Gijsbers_Rademakers thanks! The URL you provided links a deprecated feature, and the newly recommended approach is to use Tennant Allow/Block list. Thank you for the hint in that direction.

 

The Block the following URLs list for Safe Links is in the process of being deprecated. Use block entries for URLs in the Tenant Allow/Block List instead. Messages containing the blocked URL are quarantined.

 

A third option I found is using the Submission center to directly submit a URL to Microsoft and block it respectively.

 

1 Like
Reply
R_Gijsbers_Rademakers

‎Dec 16 2022 11:49 AM

‎Dec 16 2022 11:49 AM

Re: Mark a URL as malicious in Microsoft 365 Defender

Hi @Kiril, happy to have pointed you in the right direction. And thanks for sharing the correct information. Br Ruud

0 Likes
Reply
best response confirmed by Kiril (Iron Contributor)
ExMSW4319

‎Dec 19 2022 02:56 AM

‎Dec 19 2022 02:56 AM

Solution

Re: Mark a URL as malicious in Microsoft 365 Defender

Depending on the severity, I would do all or some of the following:

1) Find the mail on the Security portal and look for additional copies, searching on sender and separately on sender domain and on subject line elements if they are not too generic.

2) If these are not already zapped, report the most recent 10 as phish to stimulate a ZAP. If the original message or copies were zapped but the detection message was spam-related, report them as a phish anyway.

You can also report a URL directly via https://security.microsoft.com/reportsubmission but as far as I am aware, reporting the mail is simpler and quicker. Ideally you have the Report Message add-in for Outlook already deployed and your users trained to use it.

3) You should have a mail flow rule already set up to which you can add the problem URL. You need to be confident of the correct wildcard format to ensure a match. A typical action could be to subject line-tag and divert matches to the hosted quarantine or to an administrative mailbox. This is useful for shutting down cases that Microsoft seem to be unable to accept, but remember that MFR changes take half-an-hour or more to apply, and will also shut down any internal IT discussion of the case. You and any of your colleagues will need to obfuscate the link in whatever format your security providers typically use. If memory serves, Microsoft substitute [%%] for period.

4) The Security portal URL search only matches whole host names. For attacks with varying subdomains, try the KQL:

let timeframe = ago(3d);
EmailUrlInfo
| where Timestamp > timeframe
| where Url contains "suspect.tld"
| join (EmailEvents
| where Timestamp > timeframe)
on NetworkMessageId
| project Timestamp, Subject, SenderIPv4, SenderFromAddress, RecipientEmailAddress, DeliveryLocation, Url, UrlCount
| sort by Subject asc, Timestamp asc

That may help you understand the threat a little more, but it doesn't get the domain into Microsoft's database. Including ThreatTypes, ThreatNames or DetectionMethods in the project may help you see if it is already in there.

5) You can put the URL into the Tenant Allow/Block list under the URL tab, which will also cover you for SharePoint / OneDrive: https://security.microsoft.com/tenantAllowBlockList. Bear in mind that there is a limit of 500 blocks including senders and domains, so a lot of Never Expires will soon run out of space. I don't know if Microsoft uses these entries as a source of intelligence.
1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by Kiril (Iron Contributor)
ExMSW4319

‎Dec 19 2022 02:56 AM

‎Dec 19 2022 02:56 AM

Solution

Re: Mark a URL as malicious in Microsoft 365 Defender

Depending on the severity, I would do all or some of the following:

1) Find the mail on the Security portal and look for additional copies, searching on sender and separately on sender domain and on subject line elements if they are not too generic.

2) If these are not already zapped, report the most recent 10 as phish to stimulate a ZAP. If the original message or copies were zapped but the detection message was spam-related, report them as a phish anyway.

You can also report a URL directly via https://security.microsoft.com/reportsubmission but as far as I am aware, reporting the mail is simpler and quicker. Ideally you have the Report Message add-in for Outlook already deployed and your users trained to use it.

3) You should have a mail flow rule already set up to which you can add the problem URL. You need to be confident of the correct wildcard format to ensure a match. A typical action could be to subject line-tag and divert matches to the hosted quarantine or to an administrative mailbox. This is useful for shutting down cases that Microsoft seem to be unable to accept, but remember that MFR changes take half-an-hour or more to apply, and will also shut down any internal IT discussion of the case. You and any of your colleagues will need to obfuscate the link in whatever format your security providers typically use. If memory serves, Microsoft substitute [%%] for period.

4) The Security portal URL search only matches whole host names. For attacks with varying subdomains, try the KQL:

let timeframe = ago(3d);
EmailUrlInfo
| where Timestamp > timeframe
| where Url contains "suspect.tld"
| join (EmailEvents
| where Timestamp > timeframe)
on NetworkMessageId
| project Timestamp, Subject, SenderIPv4, SenderFromAddress, RecipientEmailAddress, DeliveryLocation, Url, UrlCount
| sort by Subject asc, Timestamp asc

That may help you understand the threat a little more, but it doesn't get the domain into Microsoft's database. Including ThreatTypes, ThreatNames or DetectionMethods in the project may help you see if it is already in there.

5) You can put the URL into the Tenant Allow/Block list under the URL tab, which will also cover you for SharePoint / OneDrive: https://security.microsoft.com/tenantAllowBlockList. Bear in mind that there is a limit of 500 blocks including senders and domains, so a lot of Never Expires will soon run out of space. I don't know if Microsoft uses these entries as a source of intelligence.

View solution in original post

1 Like
Reply