{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/user-reporting/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Office 365","Outlook","Microsoft Defender for Office 365"],"_cs_severities":["medium"],"_cs_tags":["office365","phishing","user-reporting"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule focuses on identifying user-reported phishing or malware incidents within an Office 365 environment. When users report suspicious emails through the built-in reporting mechanisms in Outlook or other Microsoft services, these reports are aggregated and processed by the Security \u0026amp; Compliance center. The rule aims to detect these reports, which can be an early indicator of ongoing phishing campaigns or malware distribution attempts targeting employees. Timely detection of these reports allows security teams to investigate potential threats, assess the scope of the attack, and take appropriate remediation steps, such as quarantining malicious emails, blocking malicious senders, and alerting affected users. The scope of targeting depends on the specific campaign and the users targeted.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003ePhishing Email Delivery:\u003c/strong\u003e An attacker sends a phishing email to multiple users within the organization, attempting to deceive them into clicking a malicious link or opening a malicious attachment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUser Reports Suspicious Email:\u003c/strong\u003e A user identifies the email as suspicious and reports it using the built-in \u0026quot;Report Phishing\u0026quot; or \u0026quot;Report Junk\u0026quot; button within Outlook or another Microsoft email client.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReport Aggregation:\u003c/strong\u003e The reported email is sent to the configured reporting mailbox or processed by the Microsoft Defender for Office 365 Security \u0026amp; Compliance policies.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSecurity \u0026amp; Compliance Alert:\u003c/strong\u003e The Security \u0026amp; Compliance center generates an alert or log entry indicating that a user has reported a potential phishing email.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDetection Triggered:\u003c/strong\u003e This detection rule identifies the Security \u0026amp; Compliance alert related to user-reported phishing or malware.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSecurity Analyst Review:\u003c/strong\u003e A security analyst reviews the reported email, analyzes its contents, and investigates the sender's reputation and the linked URLs or attachments.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIncident Response:\u003c/strong\u003e Based on the analysis, the security team takes appropriate incident response actions, such as quarantining the email, blocking the sender, and alerting other potentially affected users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful phishing attacks can lead to credential compromise, malware infection, data exfiltration, and financial loss. By detecting user-reported phishing attempts, organizations can significantly reduce the risk of successful attacks and minimize the potential damage. The impact of a missed user report can range from a single compromised account to a widespread ransomware infection, depending on the sophistication and reach of the phishing campaign. Early detection is crucial to containing the threat and preventing further damage.\u003c/p\u003e\n","date_modified":"2024-01-22T12:00:00Z","date_published":"2024-01-22T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-user-reported-phish/","summary":"This detection identifies potentially malicious emails reported by users within an Office 365 environment through Security \u0026 Compliance policies, indicating possible phishing or malware attacks targeting the organization.","title":"Detection of User-Reported Phishing or Malware in Office 365","url":"https://feed.craftedsignal.io/briefs/2024-01-user-reported-phish/"}],"language":"en","title":"CraftedSignal Threat Feed - User-Reporting","version":"https://jsonfeed.org/version/1.1"}