O365 Email Reported by User as Malware or Phish
Detects the occurrence of emails reported as Phishing or Malware by Users. Security Awareness training is essential to stay ahead of scammers and threat actors, as security products can be bypassed, and the user can still receive a malicious message. Educating users to report suspicious messages can help identify gaps in security controls and prevent malware infections and Business Email Compromise attacks.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/01/12"
3integration = ["o365"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration."
6min_stack_version = "8.8.0"
7updated_date = "2024/04/02"
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects the occurrence of emails reported as Phishing or Malware by Users. Security Awareness training is essential to
13stay ahead of scammers and threat actors, as security products can be bypassed, and the user can still receive a
14malicious message. Educating users to report suspicious messages can help identify gaps in security controls and prevent
15malware infections and Business Email Compromise attacks.
16"""
17false_positives = ["Legitimate files reported by the users"]
18from = "now-30m"
19index = ["filebeat-*", "logs-o365*"]
20language = "kuery"
21license = "Elastic License v2"
22name = "O365 Email Reported by User as Malware or Phish"
23note = """## Setup
24
25The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
26references = [
27 "https://support.microsoft.com/en-us/office/use-the-report-message-add-in-b5caa9f1-cdf3-4443-af8c-ff724ea719d2?ui=en-us&rs=en-us&ad=us",
28]
29risk_score = 47
30rule_id = "5930658c-2107-4afc-91af-e0e55b7f7184"
31severity = "medium"
32tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Initial Access"]
33timestamp_override = "event.ingested"
34type = "query"
35
36query = '''
37event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:"Email reported by user as malware or phish"
38'''
39
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43[[rule.threat.technique]]
44id = "T1566"
45name = "Phishing"
46reference = "https://attack.mitre.org/techniques/T1566/"
47[[rule.threat.technique.subtechnique]]
48id = "T1566.001"
49name = "Spearphishing Attachment"
50reference = "https://attack.mitre.org/techniques/T1566/001/"
51
52[[rule.threat.technique.subtechnique]]
53id = "T1566.002"
54name = "Spearphishing Link"
55reference = "https://attack.mitre.org/techniques/T1566/002/"
56
57
58
59[rule.threat.tactic]
60id = "TA0001"
61name = "Initial Access"
62reference = "https://attack.mitre.org/tactics/TA0001/"
Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
The Report Message add-in works with Outlook to allow you to report suspicious messages to Microsoft as well as manage how your Microsoft 365 email account treats these messages. Messages that you...
Read More
Related rules
- Microsoft 365 Exchange Anti-Phish Policy Deletion
- Microsoft 365 Exchange Anti-Phish Rule Modification
- Microsoft 365 Exchange Safe Link Policy Disabled
- Microsoft 365 User Restricted from Sending Email
- O365 Mailbox Audit Logging Bypass