Hi All,
Do you know the User reported Settings in Microsoft 365 Defender for Office 365?
For instance, you can send the Mails that a user reports with the "Report Message" Add-In to Microsoft also to a reporting Mailbox that you own.
User reported settings
User Reported Settings
https://security.microsoft.com/securitysettings/userSubmission
I've enabled that a while ago.
As you can see the Reporting Mailbox receives all types:
- Junk
- Phishing
- Not Junk
The Mail contains the Header and the Original Mail as Attachment.
In a past Project the Security Team was only interested in Reported Phishing Messages.
I've created the following Transport Rule to solve that
$AdminEmailaddress = "postmaster@icewolf.ch"
if ($Null -eq (Get-TransportRule -identity "[EOP] Bcc Messages Reported to Microsoft" -ErrorAction SilentlyContinue))
{
Write-Host "INFO: Create Transport Rule: [EOP] Bcc Messages Reported to Microsoft"
New-TransportRule -Name "[EOP] Bcc Messages Reported to Microsoft" -RecipientAddressContainsWords phish@office365.microsoft.com -BlindCopyTo $AdminEmailaddress -Mode Enforce -Comment "Bcc Messages Reported to Microsoft" -Enabled $true
}
The Transport Rule looks like this
Now i report a Message as Phishing
Now i only receive Mails that are reported as Phishing
You can see in the MessageTrace that the Transport Rule has worked
Get-MessageTrace -StartDate (get-date).AddDays(-1) -EndDate (get-date) -RecipientAddress phish@office365.microsoft.com
Get-MessageTrace -StartDate (get-date).AddDays(-1) -EndDate (get-date) -RecipientAddress phish@office365.microsoft.com | Get-MessageTraceDetail
You can argue, that this is very dependent on the Userbase and how good they understand the diffrence between Junk- and Phishing Emails. You're absolute correct on that. Such a "technical" approach has to be accompanied by a well designed user communication strategy.
Regards
Andres Bohren