Forum Discussion
How to quickly react to a user reported phishing e-mail?
When a user reports an e-mail as phishing I receive an alert notification, which leads me to the Incident page in Microsoft 365. - How can I find similar e-mails on that page in case any other us...
- The three variables I would look for are sender domain, subject and payload URL. If anyone knows a good way to track a common attachment, I would be interested, bearing in mind that I do not use the Defender endpoint and only use Defender for O365.
The Threat Management \ Explorer screen in the Security & Compliance portal can do most of that. Set it for All Mails and then add in the criteria, bearing in mind that some of them are a long way down that list. You can get a bit more flexibility from Hunting \ Advanced Hunting which is now available on the Security portal, but you would have to learn a bit of KQL or ask for queries in these groups.
If you do not have Defender for O365 or equivalent then in the Security & Compliance portal you have Mail Flow \ Message Trace, which will accept wild cards such as *@example.com in the By These People sender field.
Any of these simple traces can be tests for malignancy in itself if you are unsure if a sighting is malign or not.
The three variables I would look for are sender domain, subject and payload URL. If anyone knows a good way to track a common attachment, I would be interested, bearing in mind that I do not use the Defender endpoint and only use Defender for O365.
The Threat Management \ Explorer screen in the Security & Compliance portal can do most of that. Set it for All Mails and then add in the criteria, bearing in mind that some of them are a long way down that list. You can get a bit more flexibility from Hunting \ Advanced Hunting which is now available on the Security portal, but you would have to learn a bit of KQL or ask for queries in these groups.
If you do not have Defender for O365 or equivalent then in the Security & Compliance portal you have Mail Flow \ Message Trace, which will accept wild cards such as *@example.com in the By These People sender field.
Any of these simple traces can be tests for malignancy in itself if you are unsure if a sighting is malign or not.
The Threat Management \ Explorer screen in the Security & Compliance portal can do most of that. Set it for All Mails and then add in the criteria, bearing in mind that some of them are a long way down that list. You can get a bit more flexibility from Hunting \ Advanced Hunting which is now available on the Security portal, but you would have to learn a bit of KQL or ask for queries in these groups.
If you do not have Defender for O365 or equivalent then in the Security & Compliance portal you have Mail Flow \ Message Trace, which will accept wild cards such as *@example.com in the By These People sender field.
Any of these simple traces can be tests for malignancy in itself if you are unsure if a sighting is malign or not.
- Ok, that's also what I'm doing - using the Threat Explorer. I thought there might be a more efficient way to get similar emails from a reported email.
