![]() ![]() EmailPostDeliveryEvents - contains information about post-delivery actions taken on email messages.EmailUrlInfo - contains information about URLs on emails and attachments.EmailAttachmentInfo - contains information about email attachments.EmailEvents – contains general information about events involving the processing of emails.There are five tables in Advanced Hunting schema that contain Email-related data: Using filter at the top, identify reported email and try to locate similar emails sent to your organization, with the same parameters, such as links, sender addresses/domains or attachments.įigure 2: Sample mail filter query in Threat Explorerįor even more flexibility, Advanced Hunting feature can be used to search for similar emails in the environment. For those who prefer interactive UI, Threat Explorer is an ideal place to start. Are there similar emails delivered to other users within the same timeframe?īasic hunting will need to be done at this point, starting with information we have on reported malicious email, luckily Microsoft 365 Defender provides extensive tools to do that.mail subject, sender address, attachment names, sender domain, sender mail server IP address? Is there anything shared across already identified malicious emails, e.g. ![]() How many users are affected? Is there anything common between those users?.To better understand the scope, we need to try to answer the following questions: In addition to reasons listed above, misconfigured mail filtering or transport rules can also lead to the situation where malicious emails are hitting user’s inboxes and some of them can eventually be executed.Īfter receiving first user reports or endpoint alerts, we need to understand the scope of attack to provide adequate response. Using polymorphic malware with varying attachment names to complicate detection and blocking.Using various methods to make it difficult for automated scanners to reach malicious content, such as encrypted ZIP-archives or using CAPTCHA on phishing websites.Using large number of distributed mail addresses to avoid bulk mail detections.Using real compromised mail accounts for sending phishing emails to successfully pass email domain authentication (SPF, DKIM, DMARC).Email topics correspond to the recipient’s responsibilities in the organization, e.g., sending invoices and expense reports to the finance department.Using local language for subject, body, and sender’s name to make it harder for users to identify email as phishing.Some of the attributes of such attacks are: In this blog post, we will discuss steps that can be taken to respond to such a malicious mailing campaign using Microsoft 365 Defender. Spear phishing is a targeted attack by its definition and rely on preliminary reconnaissance, so attackers are ready to spend more time and resources to achieve their targets. Spear phishing campaign is a type of attack where phishing emails are tailored to specific organization, organization’s department, or even specific person. ![]()
0 Comments
Leave a Reply. |