Skip to main content


Hello community... I am wondering if anyone can share any lessons learned from handling phishing reports in Microsoft Office 365.





Currently we are looking at onboarding phishing reports by having Exchange "CC" phishing reports to a mailbox, then use the Exchange connector to read these messages and analyze them.





I think this approach will work, but we also have access to "Microsoft 365 Defender", which is it's own SOAR tool. When I look into that portal, I see MS already has done the hard work of grouping phishing and malware reports together into "incidents" and performing a fair amount of initial analysis of the reports. It seems a shame to ignore all of Threat Intel in Siemplify.





Does anyone have a success story to share in pulling together this data into Siemplify?


Hi
@Greg_Mackinnon
, I don't really have answers but wanted to let you know we're also looking closely at our options here. Please let us know if you find any good alternatives!





We have pretty complicated playbooks that process user reported emails coming into a mailbox (like you described), but we're also looking to take advantage of more of the things Microsoft is doing already. One thing we ran into at some point was user reported emails to the mailbox may be blocked and never make it to Siemplify, so you may have to set up very permissive filtering/exceptions to allow all inbound messages to your mailbox.


Reply