Feb 19 2019 09:33 AM
Feb 19 2019 09:33 AM
I need further enlightenment in order to understand why Office 365 threat Intelligence is allowing email that was identified as "PHISH" by detection technology to be delivered.
There´s something here that might be the justification for this behavior:
"[...] there are times when an attacker could send mail to your users containing a URL and only later on make that URL point to malicious content (malware, etc.)[...]"
Is this the sole reason why around 300 emails apparently classified as PHISH were delivered in one of my managed tenants?
Feb 20 2019 02:54 AM
The messages were bumping between both internal and external recipients.
Can´t get a hold of a header right now.
The real question is: if these were emails were marked as phish, why did they get delivered in the first place?
Feb 20 2019 04:40 AM - edited Feb 20 2019 04:42 AM
We have a similar problem.
In our case a user put: email@example.com via outlook > junk > never block sender mails on his allowed sender list.
The phishing mail spoofed the address firstname.lastname@example.org but came clearly from a different source as the header implied and which has been recognized by thread protection. The allowed sender list of the user overwrote the phishing rule.
Microsoft writes in this article
"However, as currently implemented by Office 365, they are vulnerable to spoofing because they are simple string matches. Fortunately, as per above, we are making a change to not respect a user's safe sender if it fails authentication. Our recommendation is for users to add to safe senders when they want to receive email from someone specific."
That was 2017
That might be a track on your case, too ?!
Feb 20 2019 07:34 AM - edited Feb 20 2019 07:35 AM
Seems interesting, but I don´t think it´s the same situation because in my case the emails were from distinct senders and recipients, includind internal domain senders and recipients.
I´m just curious as to why Threat Intelligence is able to track something malicious within an email, but still allow said email to be delivered!