End User Report Submission to Incident Response (IR) in Microsoft 365

Flow Chart Overview

1. Compatibility with Microsoft Tools

   • We are fully compatible with the built-in Microsoft report button.

   • Additionally, we can connect to the "Report Message" add-on for enhanced reporting capabilities.

2. Configuration Steps

   • Dedicated Mailbox Creation

     • Customers should create a dedicated mailbox, e.g., report@domain.TLD. For better management, it is recommended that they use a shared mailbox with delegation assigned to at least one user.

   • Admin Configuration for Reporting

     • Admins configure Microsoft reports to be sent to the dedicated mailbox. These reports are sent on behalf of the user who reported the issue.

   • Transport Rule Setup

     • Implement a transport rule to send a copy of these reports to our reports mailbox for further analysis and action.

     • To limit the number of users reporting emails to the Incident Response (IR) system for testing purposes, follow these steps:
       1. Add a condition in the report submission rule: Apply this rule if > The sender.. is this person
       2. You can also use group: Apply this rule if > The sender.. is a member of this group

Report Details Extraction

1. Report Analysis Code

   • We have developed a code that extracts details from the received reports, such as the user's action (Phishing, Junk, Not Junk).

   • When a user clicks on "Phishing":

     • We receive a scan report with the comment: "I think this email is malicious."

   • When a user clicks on "Junk":

     • We receive a scan report with the comment: "I think this email is spam."

   • When a user clicks on "Not Junk":

     • We receive a scan report with the comment: "I think this email is clean."

2. Options
   - We can configure feedback emails (handling alerts). For more information, refer to: Enabling Investigation Handling Report
   - The alerts can be customized. See alerts examples here: Reports&Alerts Samples (Feb 2024) under “Handling Alerts.”
   - The customer can configure Microsfot to send reports to the Incident Response (IR) team only when a user clicks 'Phishing.'
   - Add the following condition to the submission transport rule:
   Apply this rule if > The message headers… > include any of these words >
   - specify header name: Message-ID
   - specify words or phrases: Phish

Note: Microsoft 365 Specific

This configuration and reporting mechanism is tailored explicitly for Microsoft 365 environments, leveraging its built-in reporting functionalities and customizations.

Attachments (2)

image-202404....png
32 KB

End-user.drawio.png
82.5 KB