Detection: O365 Email Reported By Admin Found Malicious

Description

The following analytic detects when an email manually submitted to Microsoft through the Security & Compliance portal is found to be malicious. This capability is an enhanced protection feature that can be used within o365 tenants by administrative users to report potentially malicious emails. This correlation looks for any submission that returns a Phish or Malware verdict upon submission.

Search

1`o365_management_activity` Workload=SecurityComplianceCenter Operation=AdminSubmission 
2| search RescanVerdict IN (Phish,Malware) 
3| stats values(Subject) as subject, values(RescanVerdict) as result, values(SenderIP) as src, values(P2Sender) as sender, values(P1Sender) as src_user, values(Recipients{}) as user, count min(_time) as firstTime, max(_time) as lastTime, by Id,Operation,UserId 
4| rename Name as signature, Id as signature_id, UserId as o365_adminuser 
5| `security_content_ctime(firstTime)` 
6| `security_content_ctime(lastTime)` 
7| `o365_email_reported_by_admin_found_malicious_filter`

Data Source

No data sources specified for this detection.

Macros Used

Annotations

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Implementation

You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity

Known False Positives

Administrators that submit known phishing training exercises.

Associated Analytic Story

• Spearphishing Attachments

• Suspicious Emails

Risk Based Analytics (RBA)

Risk Message:

O365 security admin $o365_adminuser$ manually reported a suspicious email from $src_user$

References

• https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/submissions-outlook-report-messages?view=o365-worldwide

Detection Testing

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 3