We have an existing workflow that successfully generates investigations whenever there is an defender incident that is for phishing reports.
What we are trying to do is add a step that goes to our secops (phishing report) mailbox gets the email report and digs into the attachment (the actual email that was reported) and then prints its body to an artifact.
We are almost there in that we are successfully pulling in the reporters email from the phishing report mailbox but …
Two problems we have at the moment
- The ‘get email from user’ functionality of the MS Office 365 plugin allows you to specify from, subject and body. We can successful pull in emails based on from (we get reporters address from incidents plugin) but when we try and put the suspicious sender into ‘subject’ or ‘body’ it fails. After a bit of testing it seems like it does like special characters like @ so ‘firstname.lastname@example.org’ fails but ‘example’ works. We can launch without this but it would be great to have it as it would reduce chances of pulling in the wrong email when one reporter reports multiple.
No error message it just comes back with nothing if we try and specify the suspicious sender as subject . Reason we do that is because our reports come in with these subjects. Numbers changed. At the end you see the subject and sender of the suspicious email.
3|a6a453534560f9-660f-4c67-2b69-08dbef523af9|Adminfoxcat@mkzx.onmicrosoft.com|(email@example.com|(for report notification test) 27/11/2023 14:07:45)
UPDATE: okay found a passable workaround for this. where i specify the suspicious emails subject in this case “for report notification test) 27/11/2023”. That’ll help cut down the chances of pulling in the wrong email at least. So yeah the second issue is the big one that’s stopping us going ahead.
- Looking at the job output it seems convinced that none of these emails have attachments but they do! Because the email report comes into the phishing inbox as an email from the reporter with the suspicious email attached this means we can’t read the body of the suspicious email