{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/exchange-online-protection/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft 365","Outlook","Exchange Online Protection"],"_cs_severities":["high"],"_cs_tags":["o365","phishing","malware","email"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection focuses on identifying malicious emails that bypass initial security layers and reach end-users, who then report them using the 'Report Message' feature in Outlook. When a user reports an email, Microsoft analyzes it and provides a verdict. This alert triggers when a user-reported email is classified as either \u0026quot;Phish\u0026quot; or \u0026quot;Malware,\u0026quot; indicating a successful initial access attempt by the attacker. This feature provides an enhanced security layer, empowering users to actively participate in threat detection. The targeted scope is O365 tenants utilizing the Microsoft Office Report A Message function.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a phishing email with malicious content (e.g., a link to a credential harvesting site or a malware-laden attachment).\u003c/li\u003e\n\u003cli\u003eThe email bypasses automated security filters (e.g., Exchange Online Protection) and lands in the user's inbox.\u003c/li\u003e\n\u003cli\u003eThe user, recognizing the suspicious nature of the email, utilizes the \u0026quot;Report Message\u0026quot; feature in Outlook to flag the email to Microsoft.\u003c/li\u003e\n\u003cli\u003eMicrosoft's systems analyze the reported email and identify it as either \u0026quot;Phish\u0026quot; or \u0026quot;Malware,\u0026quot; based on its characteristics and content.\u003c/li\u003e\n\u003cli\u003eAn AlertEntityGenerated event is created in the Office 365 Universal Audit Log, signaling that a user-reported email has been confirmed as malicious.\u003c/li\u003e\n\u003cli\u003eThe detection rule identifies this event and extracts relevant information, such as sender, subject, and reporting user.\u003c/li\u003e\n\u003cli\u003eSecurity analysts investigate the incident to determine the scope and impact of the phishing campaign.\u003c/li\u003e\n\u003cli\u003eCompromised accounts are remediated, and security controls are updated to prevent similar attacks in the future.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful phishing attack can lead to credential theft, malware infections, and data breaches. If a reported email is classified as malicious, it indicates that the attacker has successfully bypassed initial security measures and reached an end-user. The number of affected users depends on the scale of the phishing campaign. Targeted sectors include any organization utilizing Microsoft 365 services. Successful attacks can lead to significant financial losses, reputational damage, and legal liabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and promote the use of the Microsoft Office \u0026quot;Report Message\u0026quot; function to empower users to report suspicious emails (Reference: \u003ca href=\"https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/submissions-outlook-report-messages?view=o365-worldwide)\"\u003ehttps://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/submissions-outlook-report-messages?view=o365-worldwide)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInstall the Splunk Microsoft Office 365 Add-on to ingest Office 365 management activity events (See: How to Implement section).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eO365 Email Reported By User Found Malicious\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate users who report malicious emails to identify potential compromises.\u003c/li\u003e\n\u003cli\u003eUse the drilldown searches to pivot to risk events for the reporting user and email sender to determine any additional suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-o365-email-reported-malicious/","summary":"Detection of emails reported by users as malicious via the Outlook 'Report Message' feature, subsequently confirmed as Phish or Malware by Microsoft's analysis, indicating successful initial access.","title":"O365 Email Reported by User Found Malicious","url":"https://feed.craftedsignal.io/briefs/2024-01-o365-email-reported-malicious/"}],"language":"en","title":"CraftedSignal Threat Feed - Exchange Online Protection","version":"https://jsonfeed.org/version/1.1"}