Sep 23 2021
02:42 AM
- last edited on
Dec 23 2021
11:03 AM
by
TechCommunityAP
Sep 23 2021
02:42 AM
- last edited on
Dec 23 2021
11:03 AM
by
TechCommunityAP
When a user reports an e-mail as phishing I receive an alert notification, which leads me to the Incident page in Microsoft 365.
- How can I find similar e-mails on that page in case any other users received the same phsihing mail?
- How can I quickly delete those mails?
Sep 23 2021 07:38 AM
SolutionSep 23 2021 09:10 AM
Sep 23 2021 03:08 PM
Sep 29 2021 12:27 AM
Sep 29 2021 02:06 AM
Sep 29 2021 05:01 AM
@ExMSW4319 there is something similar in PowerShell: Search for and delete email messages in your organization - Microsoft 365 Compliance | Microsoft Doc...
- Do a search and check the results
$Search=New-ComplianceSearch -Name "Remove Phishing Message" -ExchangeLocation All -ContentMatchQuery '(Received:4/13/2016..4/14/2016) AND (Subject:"Action required")'
Start-ComplianceSearch -Identity $Search.Identity
- Delete Items
New-ComplianceSearchAction -SearchName "Remove Phishing Message" -Purge -PurgeType HardDelete
Sep 29 2021 01:51 PM
That's one of the classic PowerShell clean-up methods, and for those cribbing the script from the internet, always run in the two separate parts; one to get the list of targets and a separate second part to run the actual hard deletion in case the search picks up more than you want.
To feed that from KQL, I would use something along the lines of:
let timeval = ago(2d);
EmailUrlInfo
| where Timestamp > timeval
| where Url contains "malicious-URL-fragment"
| join (EmailEvents
| where Timestamp > timeval)
on NetworkMessageId
| project Timestamp, Subject, SenderIPv4, SenderFromAddress, DeliveryLocation, Url, UrlCount
| sort by Subject asc, Timestamp asc
This will give you a list of all of the times and subject lines used in a variable attack where the sender and subject are frequently changing. Judicious choice of the malicious URL fragment will allow you to pick up morphs of the domain, though injudicious use will garner you false positives.
Sep 23 2021 07:38 AM
Solution