I am a Security Engineer at my organization and I'm looking for ways to automate the reporting process for suspicious emails.
We are using Terranova Security Awareness for Phish email reporting, and I receive these reported emails in my mailbox. These email reports contain the header details of the reported email, and the reported email itself as an .eml file.
I also have access to Microsoft 365 Security and Compliance admin centers. I can also use Microsoft Flow if necessary.
There are two things I'd like to see if I can set up for alerting. We receive so many reports that it is tedious to check all of them.
Some sort of automated rule that checks for criteria in the reported emails. Maybe a domain outside our organization? This way, I can be more aware of high-risk activity.
Separate from those reported emails, I'd like to see if there is a way to receive an alert if "x emails delivered in y time period from an external domain". This might be a clue that there is a phishing attack. Say, 50 emails in 10 minutes from the same sender.
I'm looking around in Compliance Alert policies but I'm not seeing "message delivered" as a criteria I can report on.
Ideas? Something else I could possibly try?