{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/suspicious-email/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft 365"],"_cs_severities":["medium"],"_cs_tags":["suspicious-email","phishing","microsoft365"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat involves malicious or suspicious emails, as identified by Microsoft Defender for Office 365, being delivered to user mailboxes despite the existing security mechanisms. This can occur due to various factors, including misconfigured security policies, sophisticated attacker techniques that evade detection, or delayed signature updates. The delivery of such emails presents a significant risk, as they may contain spearphishing attachments, malicious links, or other harmful content designed to compromise user accounts or systems. Successful exploitation can lead to data theft, malware infection, and further propagation of the attack within the organization. It\u0026rsquo;s crucial to investigate these instances promptly to remediate any potential damage and improve email security posture.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a spearphishing email designed to bypass standard security filters.\u003c/li\u003e\n\u003cli\u003eThe email is sent to a target user within the Microsoft 365 environment.\u003c/li\u003e\n\u003cli\u003eMicrosoft Defender for Office 365 analyzes the email and identifies it as suspicious but fails to block delivery.\u003c/li\u003e\n\u003cli\u003eThe email is delivered to the user\u0026rsquo;s Inbox or Junk folder.\u003c/li\u003e\n\u003cli\u003eThe user opens the email and clicks on a malicious link or opens a malicious attachment (e.g., a macro-enabled document).\u003c/li\u003e\n\u003cli\u003eThe link redirects the user to a credential harvesting site, or the attachment executes malicious code (e.g., via PowerShell).\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to the user\u0026rsquo;s account or system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised account to further propagate the attack, exfiltrate data, or deploy malware within the organization.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of this threat can be significant. Successful exploitation can lead to the compromise of user accounts, data theft, malware infection, and financial loss. Organizations may experience business disruption, reputational damage, and legal liabilities. The number of affected users and the extent of the damage will depend on the attacker\u0026rsquo;s objectives and the organization\u0026rsquo;s security controls.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect suspicious email delivery events within your Microsoft 365 environment and tune for your specific environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the root cause of the bypass and remediate any potential damage.\u003c/li\u003e\n\u003cli\u003eReview and adjust Microsoft Defender for Office 365 settings to improve detection accuracy and blocking capabilities.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of phishing emails and encourage them to report suspicious messages.\u003c/li\u003e\n\u003cli\u003eMonitor the \u003ccode\u003eTIMailData\u003c/code\u003e operation within the M365 audit logs for further analysis and threat hunting.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-m365-suspicious-email/","summary":"This brief outlines a threat where Microsoft Defender for Office 365 identifies an email as malicious or suspicious but still delivers it to a user's inbox or junk folder, potentially bypassing initial security measures.","title":"Microsoft 365 Suspicious Email Delivery","url":"https://feed.craftedsignal.io/briefs/2024-01-m365-suspicious-email/"}],"language":"en","title":"CraftedSignal Threat Feed — Suspicious-Email","version":"https://jsonfeed.org/version/1.1"}