No URL Detection in Emails with Extensive %2580 Encoding
Hi Community, I encountered a concerning issue where emails containing URLs with extensive encoding (%2580) completely bypassed all detection and security mechanisms. These encoded URLs weren’t identified as links, which allowed them to evade security scanning. Issue Details: The email contained malicious URLs encoded with %2580. The URLs were not flagged or identified as links, allowing the payload to bypass filters entirely. Questions: Has anyone else encountered similar issues with encoded URLs bypassing detection? What’s the best process to submit this email to Microsoft for analysis and improvements to detection mechanisms, since no URL's were identified? Looking forward to your input and recommendations. Thanks in advance!
tracking abuse of BCC
Apologies once again for the cross-post, but there are some aspects of this case that may have been more applicable to Exchange Online than to MDO specialists. I am looking at the BCC problem, where an attacker will send mail from the sending system to a third domain (often with an address chosen to make the deception convincing) BCC the victim address. Where a sending domain represents an obvious and sustained problem (not mentioning any Mountain View freemail providers here) it is easy to construct a mail flow rule: if sender domain is {problem domain} do {action} except if To or CC includes a member of {your internal global distribution list} {action} should of course be non-intrusive until you are sure that the rule is not going to be a problem. You may need also exceptions for acceptable spoofing, forwarding and any distribution groups accepting external mail. That is why testing is essential. My problem is how to track the success of this rule. Both the PowerShell get-maildetailtransportrulereport commandlet and the equivalent KQL (Advanced Hunting) EmailEvents table give actual recipient address after BCC and distribution groups are resolved rather than the address of the third party that the detected item was primarily sent to. For the numbers in question, the GUI is impractical for anything other than spot checks. Is there any way to programmatically list the external primary recipient of an inbound BCC?Fastest workflow to block a phished user?
If a user gets phished, or his credentials get leaked - what's the first thing you do, before you start investigating the issue? A few questions concerning this issue: - Is it enough to block the user in the Office 365 Admin Center? - Should I reset his password, or is blocking the user enough? - If the user is blocked, and he still has an active Exchange Online session, can the blocked user still send e-mails?Queries related to defender for office 365
Hello MDO gurus, I have below queries for my defender for office deployment: Do we have feature to enable domain specific tagging for MDO Alerts. As for MDO Pending Action items, is there any default action application if we do not approve or reject the Soft-delete emails ? Are manually reported phishing emails part of the MDO Pending Action Items ? Is there a bulk approval option for MDO pending action items ?
