End User Report Submission to Incident Response (IR) in Microsoft 365

Modified on Sun, 6 Oct at 2:38 PM

Flow Chart Overview

End-user.drawio.png

  1. Compatibility with Microsoft Tools

    • We are fully compatible with the built-in Microsoft report button.

    • Additionally, we can connect to the "Report Message" add-on for enhanced reporting capabilities.

  2. Configuration Steps

    • Dedicated Mailbox Creation

      • Customers should create a dedicated mailbox, e.g., report@domain.TLD. For better management, it is recommended that they use a shared mailbox with delegation assigned to at least one user.

    • Admin Configuration for Reporting

      • Admins configure Microsoft reports to be sent to the dedicated mailbox. These reports are sent on behalf of the user who reported the issue.

    • Transport Rule Setup

      • Implement a transport rule to send a copy of these reports to our reports mailbox for further analysis and action.

      • To limit the number of users reporting emails to the Incident Response (IR) system for testing purposes, follow these steps:
        1. Add a condition in the report submission rule: Apply this rule if > The sender.. is this person
        2. You can also use group: Apply this rule if > The sender.. is a member of this group

Report Details Extraction

  1. Report Analysis Code

    • We have developed a code that extracts details from the received reports, such as the user's action (Phishing, Junk, Not Junk).

    • When a user clicks on "Phishing":

      • We receive a scan report with the comment: "I think this email is malicious."

    • When a user clicks on "Junk":

      • We receive a scan report with the comment: "I think this email is spam."

    • When a user clicks on "Not Junk":

      • We receive a scan report with the comment: "I think this email is clean."

  2. Options
    - We can configure feedback emails (handling alerts). For more information, refer to: Enabling Investigation Handling Report
    - The alerts can be customized. See alerts examples here: Reports&Alerts Samples (Feb 2024) under “Handling Alerts.”
    - The customer can configure Microsfot to send reports to the Incident Response (IR) team only when a user clicks 'Phishing.'
    - Add the following condition to the submission transport rule:
    Apply this rule if > The message headers… > include any of these words >
    - specify header name: Message-ID
    - specify words or phrases: Phish

image-20240408-124133.png

Note: Microsoft 365 Specific

This configuration and reporting mechanism is tailored explicitly for Microsoft 365 environments, leveraging its built-in reporting functionalities and customizations.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article