User Profile
ExMSW4319
Iron Contributor
Joined 6 years ago
User Widgets
Recent Discussions
Re: No URL Detection in Emails with Extensive %2580 Encoding
Yep, I call it the padded URL tactic. The padding is typically visually displayed as spaces so the recipient may just see "youtube.com ", a domain some marketing types love to put in signature blocks. Pattern matching has horrendous problems (test non-intrusively, kiddies) and I gave up when it seemed that any Youtube TLD was fair game. I am pretty sure I have seen the tactic used with other domains too. Stepping back from MDO, putting a block or warning on your web proxy won't do any good because it is the payload domain at the far end of the padding string that is the real threat. Just for once, it isn't the Google infrastructure being weaponised except tangentially for the reputation, and the real problem as the OP said is down to MDO not being able to display the value in Threat Explorer or, it seems, offer any detection except by peripheral factors. I looked at a recent sample and the padding ran to over 4k characters prior to the payload domain. A quick Copilot check suggests that RFC-1035 sets a maximum host name length of 255 characters, so someone isn't checking bounds.134Views1like0CommentsRe: Configure Quarantine Notifications to Admins when the any Email is quarantined
We use the second option, but for fewer alert types (e.g. malicious URL clicked) fed directly into the security team's ticket queue. We also have Report Message enabled and configured to send copies to a dedicated SecOps mailbox (Email & Collaboration > Policies & Rules > Threat policies > Advanced delivery) so Defender does not (generally) devour our copies of the sightings. This is reinforced with policies just for SecOps at the top of the anti-phish, anti-spam and anti-malware policy tables.2.2KViews0likes0CommentsRe: Assessing Microsoft Defender for Office365 Effectiveness
It's not ideal (takes an age to draw, and you have to mouseover for the numbers) but this little puppy is still available in your admin context: https://security.microsoft.com/mailflowStatusReport?viewid=sankey For post-delivery actions, you could try the following query if the number of events for your tenancy does not overrun the limits of KQL. Also beware that portal reports, KQL and any PowerShell you may be using rarely give exactly the same answer (because they are measuring subtly different things, I suspect). Always sanity-check any figures before presentation: // concatenate Action strings but for single 30D view // EmailPostDeliveryEvents | where Timestamp > ago(30d) | project Action, ActionType, ActionTrigger, ActionResult | extend Act = strcat(ActionType, " ", Action, ", ", ActionResult) | summarize count () by Act | sort by Act asc, count_ desc | render piechart52Views0likes0CommentsRe: Defender false positive on SharePoint links
An admin submission may work (and is the exam answer) but you should track and see if it actually results in an Allow entry in your tenancy TABL under the URLs tab. If it does not, you have ask Product Support to force the setting for you. It looks as if Indicators are a Defender for Endpoint thing. Try that group.262Views0likes0CommentsRe: Do you think you need to restore the previous ,version of the MTC Platform - Now it's useless
I am missing the community hub navigation. Finding a board I am interested in involves clicking down the pages of hubs multiple times and then clicking down the page of boards once. That really can't be helping MTC engagement rates. Yes, I can try Following boards instead but I'm having to make precautionary changes to my notification settings. Following still does not give me the same navigation functionality. The Products drop-down is close to what I need, though it is clearly not based on a list of hubs derived from a sum of board contributions I have posted. There is something else at work. I'm not keen on hiding the date at the end of the posting block either. But to answer the original question, sadly I suspect that too many changes have been made to the underlying store, so a quick reversion to the previous format would not be possible.69Views1like0CommentsRe: Add "Add Sender to Safe Senders" button to quarantine email
Can you obtain the same effect by training them to use the Report Message button Not Junk option in Outlook? That might involve some policy changes, and I believe it cannot override "high confidence" verdicts. I suppose it depends on why the messages are going to the hosted quarantine to begin with.374Views0likes1CommentRe: Microsoft Attack Simulator Training Foreign Language
I regularly simulate attacks in 5 languages. Training content is based on the desktop language, so you either need a tester with a desktop localised to the right language or you are going to have to do a bit of work to set your own workstation up to fully switch to the foreign language. Unless you are a really capable speaker of the foreign language, you want someone to sense-test what is being delivered anyway. Incidentally, I also customize my payloads, notices and landing pages to be single-language specific rather than relying on automatic language detection. And I assume you saw the drop-down box in the payload editor where you choose language? Use it, but cover your bets as I do.312Views0likes0CommentsRe: All the mail from one mail adress arrive in quarantine with an SCL = 5
If you mean the Restricted Senders list [get-blockedsenderaddress] then that only shows users in full Restriction (typically because their mailboxes are sending large amounts of rubbish). It won't help you if there is something in her signature block (say a URL) that is putting a weed up the product's outbound pool.1.3KViews0likes0CommentsRe: All the mail from one mail adress arrive in quarantine with an SCL = 5
MX says the sender is also M365 (as per the headers) and they do not look like the sort of organisation that would cause trouble. Their ISP (going by the domain SOA) is in our bad books for unrelated reasons. You might want to sniff around any URLs they routinely include, though I believe that you said the problem was related to one sender. Being on M365, has the sender had a recent "misfortune"? If the sender's address was in your own Tenant Allow / Block list then you would not see the mails at all, unless your anti-spam policy is very weak.1.5KViews0likes2CommentsRe: Executive reporting for Attack Simulation Training
1) I would say Excel is not too much work unless you have many simulations to keep track of. I see that you have already spotted the Repeat Offender feature. I must admit that I have not used it. 2) I think the filter is it. Payloads can be archived, but not simulations. Given that payloads and notices need testing, you are never going to have a completely "clean" simulation table. Choose your simulation names wisely and the filter will screen the clutter. 3) You could copy the payload code view from a Credential Harvest payload to a Drive-by URL payload then set a new phishing link, or simply choose or create a Drive-by URL payload. With the Credential Harvest, the User export shows you those who clicked on the first stage but went no further. The same report also tells you those who reported the message (assuming you are counting EXO user submissions rather than some internal service desk process). 4. I do not use the feature but I have tested the Repeat Offenders report and its export, and the data is there if you don't mind unpacking comma-separated lists in cells. HTH Yes, I only have one hammer, and it is square and green...376Views0likes0CommentsRe: Domain impersonation in hybrid
We have a similar config except that the mailboxes are on EXO and only the on-prem systems send out through our legacy Exchange. What you are describing should work. Have you validated your SPF with someone like Dmarcian or looked closely at the headers of a repudiated mail to see what CompAuth et al are saying about you? Do you publish DMARC and if so, what does it say about DKIM? Is your own DMARC policy repudiating you? If you have already checked all of that, I fear that a call to Product Support lies in your future.251Views0likes1CommentRe: MDO Attack Simulation and false "positives."
Return to your simulation in security.microsoft.com, pick your simulation, click the Users tab and Export the result. This will give you a CSV with the when, the IP and even the device details of each clicking user. You may find that you have third party client agents effectively clicking on links even though your users have not intentionally clicked them. The CSV also tells you if they are performing any remedial training you are assigning. You do not have to wait for the end of the campaign, though there may be some latency in the data in the export.623Views1like1CommentRe: add to whitelist or safe senders from quarantine
caro_del_castillo That is potentially good, but I am not entirely clear about the alert. Are we talking about something entirely new, or is it the informational alert "Removed an entry in Tenant Allow/Block List" as seen in the Policies & Rules \ Alert Policy table? If it is something entirely new then an example of what to expect would be good. If it is the informational alert, does that trigger for any removal from the TABL or just for these automated weedings? I ask because I block lots of routine breached genuine M365 tenants (strangely enough, other providers don't seem to have the same volume of breaches) on a 7-day or 30-day basis or however long I think it will take them to clean up their act. I don't fancy the idea of receiving an alert when each one of those expires. I suppose the best option is to experiment and then get busy with a mail flow rule if there is enough leverage.12KViews0likes1CommentRe: Microsoft Defender for Office 365 For Zoho Email Solution
Defender MDO is for Exchange Online only. In theory you might be able to set up a hybrid arrangement whereby some mails are then passed on from EXO to Zoho, but you are still paying one licence per address resolved on the EXO server. You might circumvent that by piling several aliases on each EXO seat, but the mails will be delivered to the primary address of each EXO account and you would need a horrible and probably unreliable arrangement to route them on to multiple Zoho addresses. You would not be able to send out using the multiple addresses, and if you are sending from Zoho Cloud-based Email Infestation then deliverability may be one problem you are trying to address. In any case your tracing and remediation features are unusable, making the whole idea of questionable value.304Views0likes0CommentsRe: Remediation action taken by admin on emails or URL or sender
Have you checked the Action Center? The automatically generated actions can make it difficult to spot manual actions awaiting approval. The only other problem I can think of is if the total batch of mails to be remediated is too big, or if the Take Action wizard is not completed. If the problem only happens for large batches (much more than 300) then that could be it.361Views0likes0CommentsRe: Attack Simulation Training in Chinese showing as garbled character
It's my understanding that the attack simulator is for mailboxes on direct connections to EXO. Anything hybrid will not work. Writing and editing payloads for the simulator will very rapidly teach you how diabolically difficult it is to write an HTML formatted message that works for all recipient mail clients, even before we consider the idiosyncrasies of the payload editor. I can only recommend that you begin with simple payloads and test methodically.279Views0likes0CommentsRe: add to whitelist or safe senders from quarantine
I have some Allow actions added under the 30-day rule last August that have been automatically renewing steadily since then. I agree that that is hardly a secure way to proceed, but it appears to be working for the domains in question. I am a strong believer in at least trying to understand and if possible solve the problem rather than putting a policy plaster on the problem. If it seems unlikely that the sender would reform even if the problem is carefully and courteously explained to them, you can still add allowed sender and allowed domain entries to the anti-spam and anti-phishing policies. That will however cost Secure Score as those lists should ideally be empty, and such an action should only be taken with an understanding of the underlying sender problem and concomitant risks. Microsoft can only offer a general solution. Only you can balance the benefits against the risks to your organisation.22KViews0likes1CommentDirect action quietly dropped
Has anyone else noticed that under MC788953 / roadmap 393937 we lose the ability to run remediations direct from Threat Explorer? Instead, the action goes to the Action Center where I have to (a) wait for it to appear, (b) find it amongst all of the automated clutter with none of the information I originally input in the Threat Explorer and (c) approve it. Is the rest of the civilised universe all on third-party tools working through the APIs? https://www.microsoft.com/en-GB/microsoft-365/roadmap?filters=&searchterms=393937518Views0likes0Comments
Recent Blog Articles
No content to show