Forum Discussion

Kiril's avatar
Kiril
Steel Contributor
Sep 23, 2021

How to quickly react to a user reported phishing e-mail?

When a user reports an e-mail as phishing I receive an alert notification, which leads me to the Incident page in Microsoft 365.   - How can I find similar e-mails on that page in case any other us...
  • ExMSW4319's avatar
    ExMSW4319
    Sep 23, 2021
    The three variables I would look for are sender domain, subject and payload URL. If anyone knows a good way to track a common attachment, I would be interested, bearing in mind that I do not use the Defender endpoint and only use Defender for O365.

    The Threat Management \ Explorer screen in the Security & Compliance portal can do most of that. Set it for All Mails and then add in the criteria, bearing in mind that some of them are a long way down that list. You can get a bit more flexibility from Hunting \ Advanced Hunting which is now available on the Security portal, but you would have to learn a bit of KQL or ask for queries in these groups.

    If you do not have Defender for O365 or equivalent then in the Security & Compliance portal you have Mail Flow \ Message Trace, which will accept wild cards such as *@example.com in the By These People sender field.

    Any of these simple traces can be tests for malignancy in itself if you are unsure if a sighting is malign or not.
Kiril's avatar
Kiril
Steel Contributor

ExMSW4319 there is something similar in PowerShell: Search for and delete email messages in your organization - Microsoft 365 Compliance | Microsoft Docs

 

- Do a search and check the results

$Search=New-ComplianceSearch -Name "Remove Phishing Message" -ExchangeLocation All -ContentMatchQuery '(Received:4/13/2016..4/14/2016) AND (Subject:"Action required")'
Start-ComplianceSearch -Identity $Search.Identity

 

- Delete Items

New-ComplianceSearchAction -SearchName "Remove Phishing Message" -Purge -PurgeType HardDelete
ExMSW4319's avatar
ExMSW4319
Iron Contributor
Sep 29, 2021

Kiril 

 

That's one of the classic PowerShell clean-up methods, and for those cribbing the script from the internet, always run in the two separate parts; one to get the list of targets and a separate second part to run the actual hard deletion in case the search picks up more than you want.

 

To feed that from KQL, I would use something along the lines of:

 

let timeval = ago(2d);
EmailUrlInfo
| where Timestamp > timeval
| where Url contains "malicious-URL-fragment"
| join (EmailEvents
    | where Timestamp > timeval)
    on NetworkMessageId
| project Timestamp, Subject, SenderIPv4, SenderFromAddress, DeliveryLocation, Url, UrlCount
| sort by Subject asc, Timestamp asc

This will give you a list of all of the times and subject lines used in a variable attack where the sender and subject are frequently changing. Judicious choice of the malicious URL fragment will allow you to pick up morphs of the domain, though injudicious use will garner you false positives.

Resources