Join Log in
Score:0
Jacob K avatar Server

Automate email traffic reporting Office365 Security and Compliance

es flag
Jacob K

I am a Security Engineer at my organization and I'm looking for ways to automate the reporting process for suspicious emails.

We are using Terranova Security Awareness for Phish email reporting, and I receive these reported emails in my mailbox. These email reports contain the header details of the reported email, and the reported email itself as an .eml file.

I also have access to Microsoft 365 Security and Compliance admin centers. I can also use Microsoft Flow if necessary.

There are two things I'd like to see if I can set up for alerting. We receive so many reports that it is tedious to check all of them.

  1. Some sort of automated rule that checks for criteria in the reported emails. Maybe a domain outside our organization? This way, I can be more aware of high-risk activity.

  2. Separate from those reported emails, I'd like to see if there is a way to receive an alert if "x emails delivered in y time period from an external domain". This might be a clue that there is a phishing attack. Say, 50 emails in 10 minutes from the same sender.

I'm looking around in Compliance Alert policies but I'm not seeing "message delivered" as a criteria I can report on.

Ideas? Something else I could possibly try?

21
0 + 0
anx avatar
fr flag
anx
I am not sure I correctly understand your question. Are you trying to make more use of badly-tuned software that sends more reports than are worth investigating? Or are you trying to improve handling of human-initiated escalations?
1
Reply
anx avatar
fr flag
anx
Seems more like a *security* topic, but I found the metric *volume of duplicate (or auto-detectable by same criteria) spam* a terrible base for allocating human attention/resources. The phishing campaigns that direly need someone to look at are not the massively mass produced fire-and-forget kind.
1
Reply
Jacob K avatar
es flag
Jacob K
>Or are you trying to improve handling of human-initiated escalations? This one. "Phish Reports" are initiated by the end-user on a suspicious email. Many of the emails they report are just spam/advertising and don't need our attention. Occasionally, we will fall victim to a legitimate phishing attack with emails that contain malicious links. Currently, the only clue that this is happening is if we see multiple reports with the same subject. Once identified, we use the "Search and Purge" function to delete these emails from our Exchange mailboxes.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.