Automate email traffic reporting Office365 Security and Compliance

es flag

I am a Security Engineer at my organization and I'm looking for ways to automate the reporting process for suspicious emails.

We are using Terranova Security Awareness for Phish email reporting, and I receive these reported emails in my mailbox. These email reports contain the header details of the reported email, and the reported email itself as an .eml file.

I also have access to Microsoft 365 Security and Compliance admin centers. I can also use Microsoft Flow if necessary.

There are two things I'd like to see if I can set up for alerting. We receive so many reports that it is tedious to check all of them.

  1. Some sort of automated rule that checks for criteria in the reported emails. Maybe a domain outside our organization? This way, I can be more aware of high-risk activity.

  2. Separate from those reported emails, I'd like to see if there is a way to receive an alert if "x emails delivered in y time period from an external domain". This might be a clue that there is a phishing attack. Say, 50 emails in 10 minutes from the same sender.

I'm looking around in Compliance Alert policies but I'm not seeing "message delivered" as a criteria I can report on.

Ideas? Something else I could possibly try?

anx avatar
fr flag
I am not sure I correctly understand your question. Are you trying to make more use of badly-tuned software that sends more reports than are worth investigating? Or are you trying to improve handling of human-initiated escalations?
anx avatar
fr flag
Seems more like a *security* topic, but I found the metric *volume of duplicate (or auto-detectable by same criteria) spam* a terrible base for allocating human attention/resources. The phishing campaigns that direly need someone to look at are not the massively mass produced fire-and-forget kind.

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.