O365 Email Reported By User Found Malicious

Try in Splunk Security Cloud

Description

The following analytic detects when an email submitted to Microsoft using the built-in report button in Outlook is found to be malicious. This capability is an enhanced protection feature that can be used within o365 tenants by users to report potentially malicious emails. This correlation looks for any submission that returns a Phish or Malware verdict upon submission.

• Type: TTP
• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Email
• Last Updated: 2024-04-01
• Author: Steven Dick
• ID: 7698b945-238e-4bb9-b172-81f5ca1685a1

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1566	Phishing	Initial Access

T1566.001

Spearphishing Attachment

Initial Access

T1566.002

Spearphishing Link

Initial Access

Kill Chain Phase

• Delivery

NIST

• DE.CM

CIS20

• CIS 10

CVE

Search

`o365_management_activity` Workload=SecurityComplianceCenter  Operation=AlertEntityGenerated Name="Email reported by user as*" 
| fromjson Data 
| rename _raw AS temp etps AS _raw 
| extract pairdelim=";" kvdelim=":" 
| rename _raw AS etps temp AS _raw 
| search RescanVerdict IN (Phish,Malware) 
| rex field=tsd "\<(?<src_user>.+)\>" 
| eval src_user = case(isnull(src_user),tsd,true(),src_user) 
| stats count min(_time) as firstTime max(_time) as lastTime values(ms) as subject values(RescanVerdict) as result values(tsd) as sender values(src_user) as src_user by AlertId,AlertEntityId,Operation,Name 
| rename Name as signature, AlertId as signature_id, AlertEntityId as user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `o365_email_reported_by_user_found_malicious_filter`

Macros

The SPL above uses the following Macros:

• o365_management_activity
• security_content_ctime

o365_email_reported_by_user_found_malicious_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• _time
• Workload
• Operation
• Name
• Data
• AlertId
• AlertEntityId
• tsd
• etps

How To Implement

You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. You must deploy/allow the usage of the Microsoft Office Report A Message function.

Known False Positives

unknown

Associated Analytic Story

• Spearphishing Attachments
• Suspicious Emails

RBA

Risk Score	Impact	Confidence	Message
75.0	75	100	The user $user$ reported an email classified as $result$ from $src_user$

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/submissions-outlook-report-messages?view=o365-worldwide

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1