NOTE: Hoxhunt doesn't provide support for setting up or using Microsoft services like Defender (formerly ATP). Please consult your Security and Microsoft teams for more information.
The Hoxhunt button in Outlook can be used to forward reported threats from personal mailboxes to Microsoft as user submissions, just as if the customer used Microsoft’s own reporting functionality. This feature is a part of the base Hoxhunt product.
Technically, when Hoxhunt uploads a suspicious email to Microsoft ATP, it is considered as a user submission. Microsoft’s user submission policies applies to:
To modify the configuration for User submissions the user need to be a part of one of the following role groups:
Organization Management or Security Administrator in the Security & Compliance Center.
Organization Management in Exchange Online.
Read more about how to access the user submissions at: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/user-submission?view=o365-worldwide.
How the integration works
The integration works as follows:
1. End user clicks the Hoxhunt add-in. This opens the menu options for reporting a real threat.
2. End user reports an email as phishing. If the end user reports an email as phishing from a personal mailbox, Hoxhunt forwards that information to Microsoft just as if the user reported something as phishing with Microsoft’s own native reporting options. A message is shown that the email is being uploaded to Microsoft. After upload to Microsoft is completed, the email is uploaded to Hoxhunt and/or forwarded to your chosen mailbox, depending on your configuration. As a final step the reported email is moved to Deleted Items folder.
2. End user reports an email as spam. If the user reports an email as spam from a personal mailbox, Hoxhunt forwards that information to Microsoft just as if the user reported something as junk with Microsoft’s own native reporting options. A message is shown that the email is being uploaded to Microsoft. After upload to Microsoft is completed, the email is uploaded to Hoxhunt and/or forwarded to your chosen mailbox, depending on your configuration. As a final step the reported email is moved to Junk folder and sender is added to Blocked Senders list.
- Please note: Microsoft does not support reporting phishing emails from shared or group mailboxes. The Defender integration does therefore not support emails reported from shared or group mailboxes and no user submission is created in Defender when an email is reported from a shared or group mailbox. However, Hoxhunt can still both forward the email to your chosen address and upload the email to Hoxhunt for visibility.
3. End user reports an email as not spam. If the user reports an email as not spam from the Junk folder, Hoxhunt forwards that information to Microsoft just as if the user reported something as not junk with Microsoft’s own native reporting options. The reported email is then moved back to the user’s Inbox.
- Please note: Allowing users to report emails as not spam is an additional feature that can be enabled by your Onboarding Manager or Customer Success Manager at Hoxhunt. If the Report as not spam feature is not enabled, users can report any email as spam, including emails located in their Junk folder.
4. The submissions are sent to Microsoft and are visible at https://protection.office.com/reportsubmission. In general it takes a 5 to 10 minutes before the reports by the user shows up in User Submissions.
How to enable the feature?
No specific configuration steps are required from your side. Simply contact your Onboarding Manager or Customer Success Manager and ask Hoxhunt to enable the feature for you.
Viewing the reported threats by users in Defender
The reported emails can be found at: https://protection.office.com/reportsubmission or by going to https://security.microsoft.com/homepage > Threat management > Submissions > User submissions. There is a graph to show when users have reported phish respective spam (junk) emails. The user submissions includes both emails reported via Hoxhunt and with Microsoft’s own reporting functionality.
You can view a list of all the reported emails on the same page below. More in-depth information can be found about the reported emails and you can further analyse the reports yourself, run automated investigation playbooks via Microsoft AIR or make usage of other Microsoft functionalities.
Note, that there can be a delay for a few minutes from when an email is reported by the user until it shows up under User submissions.
Adding a custom mailbox for user submissions (optional)
You organization can optionally add a custom mailbox for user submissions at Office 365 Security & Compliance > Threat management > Policy or directly at: https://protection.office.com/userSubmissionsReportMessage.
This is not a necessary step for the integration itself. The option can be used if you want to selectively and manually report messages to Microsoft using Admin submission.
What information is forwarded to Microsoft?
The complete email is forwarded. The email is forwarded before it is uploaded to Hoxhunt and enriched by Hoxhunt. Therefore, it will not include any enrichments added by Hoxhunt, such as a threat ratings by threat analysts.
There is also information available if the email was marked as spam (junk) or as phish.
Can I distinguish emails reported via the Hoxhunt button from other user submissions?
Hoxhunt does not manipulate the emails that are forwarded to Microsoft, which means there's no way to know if an email is reported by Hoxhunt by looking at the reported email in Threat Explorer / User submissions.
Can I forward emails to other email platforms?
We are currently not planning to enable platform reports to other email providers such as Gmail. The feature can only be used by Microsoft customers.
I want more information
Check out the documentation for user submissions from Microsoft at: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/user-submission?view=o365-worldwide.
Appendix: Microsoft Automated Investigation and Response (AIR)
In September 2019, Microsoft released Automated Investigation and Response (AIR) in Office 365 which allows your security team to create automated rules for incident management. With AIR, your team can create playbooks around different types of incidents which will help the team focus on the urgent cases while less urgent “informative” reports can be handled at a later stage.
By using AIR, security operations teams can increase their efficiency and effectiveness through automating tasks and workflows for known security threats. These threats can be automatically investigated and suitable playbooks can be set to await for approval, improving security responsiveness within the organization. These threats can be prioritized based on their informational severity helping the security operations team focus their efforts on specific alerts.
NOTE: Hoxhunt doesn't provide support for setting up or using Microsoft services like ATP and Defender. Please consult your Security and Microsoft teams for more information.
Licensing for AIR
One of the subscriptions:
Microsoft 365 E5
Microsoft 365 A5
Microsoft 365 E5 Security
Microsoft 365 A5 Security
Office 365 E5 plus Enterprise Mobility + Security E5 plus Windows E5
Please check all detailed requirements here: https://docs.microsoft.com/en-us/microsoft-365/security/mtp/mtp-configure-auto-investigation-response?view=o365-worldwidehttps://docs.microsoft.com/en-us/microsoft-365/security/mtp/mtp-configure-auto-investigation-response?view=o365-worldwide
How does AIR work?
Microsoft runs a root investigation on the reported emails, which include:
A determination about what type of threat it might be
Who sent it
Where the email was sent from (sending infrastructure)
Whether other instances of the email were delivered or blocked
An assessment from Microsoft analysts
Whether the email is associated with any known campaigns
You can view all alerts in the Security & Compliance center under Alerts > View alerts.
When an alert is triggered, a predetermined automated workflow sets into action and your security team is notified of the report. By default, the below alerts are auto investigated in AIR:
- A potentially malicious URL click was detected
- Email reported by user as phish
- Email messages containing malware removed after delivery
- Email messages containing phish URLs removed after delivery
- Suspicious email sending patterns detected
- User restricted from sending email
Search and Investigate
Microsoft provides a list of recommended actions to take on the reported threats. Several search and investigation steps can be triggered:
Similar email messages are identified via email cluster searches.
The signal is shared with other platforms, such as Microsoft Defender for Endpoint.
A determination is made on whether any users have clicked through any malicious links in suspicious email messages.
A check is done to see if a user has been compromised. This check leverages signals across Office 365, Microsoft Cloud App Security, and Azure Active Directory, correlating any related user activity anomalies.
Finally Microsoft can take a remediation step based on the information above.
Soft delete email messages or clusters
Block URL (time-of-click)
Turn off external mail forwarding
Turn off delegation
NOTE: Alternatively, the SOC can manually start an an automatic investigation from the Threat Explorer.
See more: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/automated-investigation-response-office?view=o365-worldwide#example-a-security-administrator-triggers-an-investigation-from-threat-explorer