SOLVED

Mark a URL as malicious in Microsoft 365 Defender

Regular Contributor

Our tenant received phishing mails a few days ago from an external hacked email account with good reputation. Emails went through, and contained a link to a phishing site.

 

Now that I know the URL from the mail is malicious, how can I tell Microsoft 365 Defender retroactively about it?

 

Is there any other action I should take, e.g. check Advanced Hunting or check any other logs for that malicious URL or even the malicious sender?

 

 

4 Replies
Hi @Kiril, if you have the right license, you could use the safe links configuration to block the url as described here: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-about?view=o...

Another option would be via the threat explorer on https://security.microsoft.com. Search for the email and open the email entity. From the URL tab, you can select the malicious URL and block it from there. Br, Ruud

@R_Gijsbers_Rademakers thanks! The URL you provided links a deprecated feature, and the newly recommended approach is to use Tennant Allow/Block list. Thank you for the hint in that direction.

 

The Block the following URLs list for Safe Links is in the process of being deprecated. Use block entries for URLs in the Tenant Allow/Block List instead. Messages containing the blocked URL are quarantined.

 

A third option I found is using the Submission center to directly submit a URL to Microsoft and block it respectively.

 

Hi @Kiril, happy to have pointed you in the right direction. And thanks for sharing the correct information. Br Ruud

best response confirmed by Kiril (Regular Contributor)
Solution
Depending on the severity, I would do all or some of the following:

1) Find the mail on the Security portal and look for additional copies, searching on sender and separately on sender domain and on subject line elements if they are not too generic.

2) If these are not already zapped, report the most recent 10 as phish to stimulate a ZAP. If the original message or copies were zapped but the detection message was spam-related, report them as a phish anyway.

You can also report a URL directly via https://security.microsoft.com/reportsubmission but as far as I am aware, reporting the mail is simpler and quicker. Ideally you have the Report Message add-in for Outlook already deployed and your users trained to use it.

3) You should have a mail flow rule already set up to which you can add the problem URL. You need to be confident of the correct wildcard format to ensure a match. A typical action could be to subject line-tag and divert matches to the hosted quarantine or to an administrative mailbox. This is useful for shutting down cases that Microsoft seem to be unable to accept, but remember that MFR changes take half-an-hour or more to apply, and will also shut down any internal IT discussion of the case. You and any of your colleagues will need to obfuscate the link in whatever format your security providers typically use. If memory serves, Microsoft substitute [%%] for period.

4) The Security portal URL search only matches whole host names. For attacks with varying subdomains, try the KQL:

let timeframe = ago(3d);
EmailUrlInfo
| where Timestamp > timeframe
| where Url contains "suspect.tld"
| join (EmailEvents
| where Timestamp > timeframe)
on NetworkMessageId
| project Timestamp, Subject, SenderIPv4, SenderFromAddress, RecipientEmailAddress, DeliveryLocation, Url, UrlCount
| sort by Subject asc, Timestamp asc

That may help you understand the threat a little more, but it doesn't get the domain into Microsoft's database. Including ThreatTypes, ThreatNames or DetectionMethods in the project may help you see if it is already in there.

5) You can put the URL into the Tenant Allow/Block list under the URL tab, which will also cover you for SharePoint / OneDrive: https://security.microsoft.com/tenantAllowBlockList. Bear in mind that there is a limit of 500 blocks including senders and domains, so a lot of Never Expires will soon run out of space. I don't know if Microsoft uses these entries as a source of intelligence.