Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community
Automatically triage phish submissions in Microsoft Defender for Office 365
Published Sep 09 2021 09:00 AM 14.9K Views

This post is a continuation of a recent blog covering the latest improvements to automated email investigations in Microsoft Defender for Office 365. In this post, we’ll look at how the Microsoft Digital Security and Resilience (DSR) team has co-operatively worked with the Defender for Office 365 team to reduce Microsoft's internal caseload for user submitted phish by more than 40%.


Security doesn’t stop once an email is delivered


Despite the number of protective controls security teams have in place, threat actors will continue to increase their level of sophistication. For this reason, mitigation remains a crucial element to combat phishing attacks that make it through our defenses. Microsoft’s Security Operations Center (SOC) is equipped with Microsoft Defender for Office 365’s fully functional tools and automation to quickly detect, investigate, and effectively remediate malicious emails. Since minutes matter, the Automated Investigation and Response (AIR) features have been key in enabling the Digital Security and Resilience SOC group to move quickly.




Figure 1: Minutes matter - Why technology advancement, detections, and reporting are needed.


Enabling user phish reporting


Beyond prevention and detection, it is imperative that we cultivate a security conscious culture. To do this, we equip our employees, our first and last line of defense, with skills to identify a phish and provide them with simple reporting that delivers a consistent experience across all platforms.


Since there are thousands of reported emails per day, it is vital that employees receive reporting on potential missed threats. Microsoft leverages Defender for Office 365’s Report Message add-in to enable easy user phish reporting. End-user reports are visible within the Microsoft 365 Defender portal – but more importantly these phish reports generate alerts and automated investigations within Defender for Office 365. Automation from AIR is key to ensure that our SOC can prioritize the reports that present the greatest risk. With the transition to AIR, Microsoft saw SOC efficiency significantly improve for time to resolution, moving away from manual steps to a fully integrated investigation and remediation platform.


Since the Microsoft SOC utilizes a service management toolset for case assignment, we integrated it with the Office 365 management activity API to assign alerts/investigations from Defender for Office 365. This is critical to SOC management, as it integrates into our regular processes and reporting tools for our team. For a more efficient user submission process, DSR is working with the Microsoft 365 Defender and Defender for Office 365 teams to move to the Sentinel APIs and begin leveraging Defender incident capabilities in a similar fashion.


Prioritizing key cases


In 2020 we analyzed SOC cases and determined that the employee reported messages are not often malicious and include malware or high confidence phish. While we continue to encourage employees to report suspicious emails, more than 60% of the cases remediated were benign and reported as false positives. Benign cases occur when users report normal notifications, newsletters or spam emails as phish because they find them suspicious or annoying, but there is no real phishing threat. To ensure that priority is placed on remediating emails presenting the greatest risk, distinguishing between phish and spam cases in Automated Investigation and Response (AIR) investigations became our focus.


We worked with the Defender for Office 365 team, who created a new phish classification schema, to separate high confidence phish, including credential theft and Business Email Compromise, from ‘normal’ phish, including unauthenticated, spoofed, or impersonated domains, and spam. ‘Normal’ phish and spam commonly detect improperly configured marketing or operational emails that cause benign phish detections. This better informs SOC of the types of threats users may have reported, and allow them to more proactively remediate risk due to high confidence phishing attacks


Measuring success of improved phish submission handling


In March 2021, we delivered a cluster analysis that showed early indication that removal of spam (benign-positive) cases substantially reduced total phishing cases and saved thousands of dollars in monthly operational costs.


How does this work? To reduce the total number of cases and better target more malicious emails reported, investigations will only create actions when malicious emails containing malware or high confidence phish appear in the inbox or junk folders of mailboxes. This means that lower severity threats may get reported by the end users, but only the most severe get identified as ‘pending actions’ for our SOC team to focus on. On this latter point, DSR is working with the Defender for Office 365 team to test new email threat clustering analysis that uses the latest delivery location in identifying needed actions. Emails that have been removed from the cloud mailboxes will no longer require attention. In addition, automatic refresh of investigations’ pending actions will remove/cancel actions that end up redundant due to either Zero-hour auto purge (ZAP) or other SOC actions. This is particularly important as we reduce the time between reporting phish emails and ZAP and continue to get better at removing malicious emails faster.


We expect location aware actions will improve the user submission handling with the following:


  • Reduced action volume and more accurate clustering due to normal phish will not require action (i.e., removes false-positive issues caused by “normal phish” spoofing common in bulk mail and operational emails).
  • You won’t need to approve every action in an incident/investigation. Refreshed pending actions will show when emails still linger (i.e., if you approve the largest cluster deletion, others will close on refresh over time).


Continued efficiency and effectiveness improvements


What happens when we don’t agree with the verdict? Admin submissions and SOC (admin) actions can be quickly accessed from the AIR user submission investigation. Links to review emails identified in investigations let the SOC analyst to quickly move to Threat Explorer or Advanced Hunting. From there, analysts can submit an Admin Submission when they identify threats or are not getting the proper verdict. If the email cluster wasn’t identified as something needing remediation, the analysts can then manually remediate it themselves. We are working with the Defender for Office 365 team on new admin action capabilities that will enable us to link these admin remediation actions to existing investigations/incidents.


As DSR continues to move forward with improvements to our user submission and false negative handling processes, we will continue to work with the Defender team to identify further improvements such as sending end users feedback on their phish reports into the automated investigation process. We expect continued improvements will lead to even more efficiency, as well as more effectiveness at reducing threat exposure when used in conjunction with new protections the Defender for Office 365 team is continuing to deliver.




Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum.


Version history
Last update:
‎Sep 08 2021 06:44 PM
Updated by: