- Configure Quarantine Policies in Microsoft 365 - Fri, Aug 12 2022
- Data loss prevention policies (DLP) in Microsoft Teams - Mon, Jul 11 2022
- Configuring data loss prevention for email from the Compliance Center in Microsoft 365 - Fri, Dec 3 2021
Prerequisites
To follow this miniseries, the following prerequisites must be met:
- Your tenant must have at least one Microsoft Defender for Office 365 Plan 2 license to be able to view the Threat Explorer option.
- The Office 365 E5 license also includes Microsoft Defender for Office 365 – Plan 2.
- Microsoft 365 E5 and Microsoft 365 E5 Security include the Defender for Office 365 Plan 2 license.
- Apart from licenses, you must have the permissions to be able to manage the actions in Explorer.
For the Security & Compliance Center, you must have one of the following roles assigned:
- Organization Management
- Security Administrator (this can be assigned in the Azure Active Directory Admin Center)
- Security Reader
For Exchange Online, you must have one of the following roles assigned in either the Exchange admin center or Exchange Online PowerShell:
- Organization Management
- View-Only Organization Management
- View-Only Recipients
- Compliance Management
Identify malicious items
Look at all aspects of the tool to identify risks and take immediate, informed actions.
Tracking malicious emails
Scenario: You notice multiple reports of end users receiving malicious emails. Your task is to investigate the scope and potential impact of this. You must also look for common denominators that would, in turn, help you control the damage quickly.
Possible actions: In this case, you can run a quick search in Explorer to find the extent of the attack.
Access the Security Admin Center and select Threat Management > Explorer.
Tracking malicious emails
You can now use multiple options or criteria to search for the email. The simplest way is to search via the sender address; however, you may also search using the Subject or IP address, among other things.
In this scenario, you do have the sender's address; hence, you can search using that. As seen in the screenshot here, this email address has been sending email to several users. Many of these emails have been delivered to the Junk Mail folder, since they were identified as spam as per the policies set up in the tenant. Some have been blocked.
Tracking using sender address
Now that you have gotten a decent picture of the situation, you can take action on all the emails in bulk. The information about the email recipients is available below in the graph shown here. It may appear in the format shown below.
List of emails
In the course of your troubleshooting, you might want to view additional details. You can select a specific email to view that information.
Email details
Let's take a look at all the options available here in the next sections. Note that every bit of information is worth analyzing during such an investigation. Hence, you must pay attention to all the things discussed here.
Details
More details
This section provides a lot of information that can be used for further troubleshooting.
Original IP—This is the IP address of the sender and can be used to run traces.
Directionality—It's going to be either inbound or outbound.
System Overrides—This lets you know whether the email was allowed to be delivered due to a policy in your tenant. For example, you might have whitelisted or allowed an email address or domain in Exchange Online Protection. This will lead to the delivery of malicious emails from the sender.
There are a few statuses for system overrides; see this link for more information.
Threats—Microsoft 365's verdict is displayed here. In this case, it is deemed a spam email.
Threats / Detection technologies—This displays the detection technology used by the cloud to identify the threat.
Delivery action / Original delivery location—This shows whether the email was delivered normally or if it was delivered to the Junk folder.
Latest delivery location—Sometimes emails get delivered to a location initially, shown under Original delivery location, and then moved to some other location due to Zero hour auto purge(ZAP) actions, Admin, or system actions. The Latest delivery location shows the final location of the email.
Protection policy / Action—The protection policy will display the policy that caused the action to be taken. In this case, the Spam Policy has a rule to move potential spam emails to the user's Junk folder.
Network message ID—Every message has a network message identifier that should be unique. The Network message ID is useful when you notice a suspicious email making it through Exchange Online Protection, and you want to submit it to Microsoft for investigation and future reference.
Internet message ID—This is the ID of an email and remains constant throughout. It can be useful in tracing the email.
Threats / URLs in message—All the URLs in the email are displayed here, including suspicious ones.
There are two hyperlinks at the bottom of the Details page.
Headers and download email
View headers—This shows the message header. It's particularly useful in investigations. Also, it does not require any specific role to be viewed.
Download email—If you want to see the actual email, along with its attachments and URLs, then you can do so by clicking this option. Note that this exposes you to any malicious items in the email; hence, you must be cautious here.
Also, it is worth noting that a new role, Preview, must be added to another role group (such as Security Operations or Security Administrator) to grant the ability to download mails in all-email messages view.
Attachments
This tab shows the attachment, if any, in the email.
Attachments
Microsoft is working on a new portal that will display even more information. At present, it's available in preview mode, which allows you to open the attachment from this tab.
Email timeline
This tab displays the actions taken on the email since its arrival in Microsoft 365.
Email timeline
Similar emails
This tab shows all the other emails with the same sender or subject in the tenant. In the current portal, it does not allow us to export this list; however, if you access the new Security portal in preview mode, you can indeed download the list.
The link to access the new page is displayed above the option, as highlighted in yellow here.
Similar emails
It's worth noting that you can get the same list of emails by initiating the search in Explorer with the same sender or subject.
Subscribe to 4sysops newsletter!
In my next post, I will give you an overview of the different actions you can take to deal with malicious emails.
Hello,
What is the KQL query to fetch the logs of URL clicks on emails on “Advance hunting” pane as the above explanation is totally on “threat explorer” pane and its pretty good, but we are looking to collect the events/logs of URL clicks on emails from “Advance hunting” pane via some other Automation tools – XSOAR & Phantom.
Can you please help me with the KQL query logic how to achieve that?
Hello,
I haven’t tried this. However, I will check and let you know. This is the link where they explain about advanced hunting query language.