SOLVED

How to quickly react to a user reported phishing e-mail?

Steel Contributor

When a user reports an e-mail as phishing I receive an alert notification, which leads me to the Incident page in Microsoft 365.

 

- How can I find similar e-mails on that page in case any other users received the same phsihing mail?

 

- How can I quickly delete those mails?

7 Replies
best response confirmed by Kiril (Steel Contributor)
Solution
The three variables I would look for are sender domain, subject and payload URL. If anyone knows a good way to track a common attachment, I would be interested, bearing in mind that I do not use the Defender endpoint and only use Defender for O365.

The Threat Management \ Explorer screen in the Security & Compliance portal can do most of that. Set it for All Mails and then add in the criteria, bearing in mind that some of them are a long way down that list. You can get a bit more flexibility from Hunting \ Advanced Hunting which is now available on the Security portal, but you would have to learn a bit of KQL or ask for queries in these groups.

If you do not have Defender for O365 or equivalent then in the Security & Compliance portal you have Mail Flow \ Message Trace, which will accept wild cards such as *@example.com in the By These People sender field.

Any of these simple traces can be tests for malignancy in itself if you are unsure if a sighting is malign or not.
Ok, that's also what I'm doing - using the Threat Explorer. I thought there might be a more efficient way to get similar emails from a reported email.
As far as I am aware, Threat Explorer and Advanced Hunting are both "near real-time" so neither has any advantage in speed over the other. "Sender Domain" means a full right-hand side match, so if your attacker is morphing on subdomains or you just want to know how much rubbish you are getting from a given junk registry's customers then you need KQL to query the partial namespace. I do not know what is possible with automation. Finally, there are third-party products that will connect to your tenancy and automatically take action if they see mail that breaks their threat detection rules.
Advanced Hunting seems to be the way to go when you want to be fast. Is it possible to issue a Soft or Hard Delete from Advanced Hunting?
As far as I am aware, KQL can only read data from O365 (and other MS online systems) and manipulate the data externally. I am not aware of any function to enact a change in an O365 tenancy. If anyone has an example to the contrary, please post - I for one would be very interested.

@ExMSW4319 there is something similar in PowerShell: Search for and delete email messages in your organization - Microsoft 365 Compliance | Microsoft Doc...

 

- Do a search and check the results

$Search=New-ComplianceSearch -Name "Remove Phishing Message" -ExchangeLocation All -ContentMatchQuery '(Received:4/13/2016..4/14/2016) AND (Subject:"Action required")'
Start-ComplianceSearch -Identity $Search.Identity

 

- Delete Items

New-ComplianceSearchAction -SearchName "Remove Phishing Message" -Purge -PurgeType HardDelete

@Kiril 

 

That's one of the classic PowerShell clean-up methods, and for those cribbing the script from the internet, always run in the two separate parts; one to get the list of targets and a separate second part to run the actual hard deletion in case the search picks up more than you want.

 

To feed that from KQL, I would use something along the lines of:

 

let timeval = ago(2d);
EmailUrlInfo
| where Timestamp > timeval
| where Url contains "malicious-URL-fragment"
| join (EmailEvents
| where Timestamp > timeval)
on NetworkMessageId
| project Timestamp, Subject, SenderIPv4, SenderFromAddress, DeliveryLocation, Url, UrlCount
| sort by Subject asc, Timestamp asc

This will give you a list of all of the times and subject lines used in a variable attack where the sender and subject are frequently changing. Judicious choice of the malicious URL fragment will allow you to pick up morphs of the domain, though injudicious use will garner you false positives.

1 best response

Accepted Solutions
best response confirmed by Kiril (Steel Contributor)
Solution
The three variables I would look for are sender domain, subject and payload URL. If anyone knows a good way to track a common attachment, I would be interested, bearing in mind that I do not use the Defender endpoint and only use Defender for O365.

The Threat Management \ Explorer screen in the Security & Compliance portal can do most of that. Set it for All Mails and then add in the criteria, bearing in mind that some of them are a long way down that list. You can get a bit more flexibility from Hunting \ Advanced Hunting which is now available on the Security portal, but you would have to learn a bit of KQL or ask for queries in these groups.

If you do not have Defender for O365 or equivalent then in the Security & Compliance portal you have Mail Flow \ Message Trace, which will accept wild cards such as *@example.com in the By These People sender field.

Any of these simple traces can be tests for malignancy in itself if you are unsure if a sighting is malign or not.

View solution in original post