Redirect reported threats to Microsoft (Defender Integration)

Introduction

NOTE: Hoxhunt doesn't provide support for setting up or using Microsoft services like Defender (formerly ATP). Please consult your Security and Microsoft teams for more information.

The Hoxhunt button in Outlook can be used to forward reported threats from personal mailboxes to Microsoft as user submissions, just as if the customer used Microsoft’s own reporting functionality. This feature is a part of the base Hoxhunt product. 

The data will be submitted to Microsoft for analysis which will improve the filtering layer. The exact information about qualitative improvements are not shared by Microsoft for security reasons. User reports will be available in Defender and to Azure Sentinel for further analysis.

To access user submission in Defender respectively Azure Sentinel please ensure you have access to the required licenses as specified by Microsoft. All users need to purchase E5 licenses to access user submissions in Defender. For more information about licensing, please contact Microsoft directly and ask them what licenses would be the most appropriate for your organisation to access user submission.

 

Technical requirements

Technically, when Hoxhunt uploads a suspicious email to Microsoft ATP, it is considered as a user submission. Microsoft’s user submission policies applies to:

To modify the configuration for User submissions the user need to be a part of one of the following role groups:

Read more about how to access the user submissions at: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/user-submission?view=o365-worldwide.

 

Technical limitations

Microsoft's add-in framework imposes some restrictions on how Hoxhunt add-in can interact with Defender. Under certain scenarios, reported emails are not uploaded to Defender nor removed automatically from user's Inbox. See below for details.

  1. Microsoft's add-in framework doesn't support reporting spam or phishing emails from shared or group mailboxes or from an on-premise mailbox. Thus, no user submission is created in Defender when an email is reported from a shared mailbox, group mailbox or an on-premise mailbox. Therefore Hoxhunt strongly recommends to configure a secondary redirection method for emails reported as phishing (and also for spam). Reported emails can be forwarded to mailbox of your choosing, or they can be uploaded to Hoxhunt platform.
  2. The automatic email removal feature is not supported when reporting non-Hoxhunt emails from a shared mailbox or from an on-premise mailbox. However, Hoxhunt training emails are always removed natively by Hoxhunt add-in, even when you have Defender integration with Hoxhunt.

 

How does the integration work?

The integration works as follows:

1. End user clicks the Hoxhunt add-in. This opens the menu options for reporting a real threat.

Screenshot_2021-12-01_at_9.06.15.png

2. End user reports an email as phishing. If the end user reports an email as phishing from a personal mailbox, Hoxhunt forwards that information to Microsoft just as if the user reported something as phishing with Microsoft’s own native reporting options. A message is shown that the email is being uploaded to Microsoft. After upload to Microsoft is completed, the email is uploaded to Hoxhunt and/or forwarded to your chosen mailbox, depending on your configuration. As a final step the reported email is moved to Deleted Items folder (see Technical limitations).

3. End user reports an email as spam. If the user reports an email as spam from a personal mailbox, Hoxhunt forwards that information to Microsoft just as if the user reported something as junk with Microsoft’s own native reporting options. A message is shown that the email is being uploaded to Microsoft. After upload to Microsoft is completed, the email is uploaded to Hoxhunt and/or forwarded to your chosen mailbox, depending on your configuration. As a final step the reported email is moved to Junk folder and sender is added to Blocked Senders list. (see Technical limitations).

4. End user reports an email as not spam. If the user reports an email as not spam from the Junk folder, Hoxhunt forwards that information to Microsoft just as if the user reported something as not junk with Microsoft’s own native reporting options. The reported email is then moved back to the user’s Inbox.

  • Please note: Allowing users to report emails as not spam is an additional feature that can be enabled by your Onboarding Manager or Customer Success Manager at Hoxhunt. If the Report as not spam feature is not enabled, users can report any email as spam, including emails located in their Junk folder.

Screen_Recording_2022-03-04_at_13.49.57.gif

4. The submissions are sent to Microsoft and are visible at https://protection.office.com/reportsubmission. In general it takes a 5 to 10 minutes before the reports by the user shows up in User reported messages (formerly known as User Submissions).

 

How to enable the feature?

  1. Navigate to https://admin.hoxhunt.com/settings/response/threat-settings.
  2. Scroll down to Report to Microsoft section.
  3. Tick Enable Report to Microsoft checkbox.

NOTE: Defender doesn't support user submissions from shared mailboxes. Please fill in a backup mailbox address where reported emails from shared mailboxes should be forwarded to.

 

 

Viewing the reported threats by users in Defender

The reported emails can be found at https://security.microsoft.com/reportsubmission?viewid=user or by navigating to to https://security.microsoft.com/homepage > Email & collaboration > Submissions > User reported messages. There is a graph to show when users have reported phish respective spam (junk) emails. The user reported messages includes both emails reported via Hoxhunt and with Microsoft’s own reporting functionality.

User_submissions.png

You can view a list of all the reported emails on the same page below. More in-depth information can be found about the reported emails and you can further analyse the reports yourself, run automated investigation playbooks via Microsoft AIR or make usage of other Microsoft functionalities.

User_submissions_list.png

Note, that there can be a delay for a few minutes from when an email is reported by the user until it shows up under User reported messages.

 

Selecting where user reported messages are uploaded to

Microsoft's User reported message settings (also known as User submission policy) allows you to decide where the suspicious emails reported by your employees are uploaded to. You can choose between Microsoft only, Microsoft and custom mailbox, and Custom mailbox only. Learn more about the options from Microsoft's article "User reported message settings".

You can access the settings directly from https://security.microsoft.com/userSubmissionsReportMessage or by navigating to https://security.microsoft.com/homepage > Email & collaborations > Policies & rules > Threat policies > Others > User reported message settings.

 

When Hoxhunt add-in is used to report an email as phish of spam, User reported messages section will display the user reported emails when you have selected any of the following options:

  • Microsoft (recommended)
  • Microsoft and my organization's mailbox
  • My organization's mailbox

NOTE: This behaviour is different from Microsoft's native reporting options (Report Message add-in, Report Phishing add-in, etc.). When using the native reporting options from Microsoft, if you select My organization's mailbox option, reported messages will not be sent for rescan to Microsoft and results in the User reported messages portal will always be empty.

 

Configuring a custom mailbox for user reported messages (optional)

This is not a mandatory step for the Hoxhunt integration. Setting up a custom mailbox and sending reported emails to it can be useful if you want to selectively and manually report messages to Microsoft using the Submitted for analysis option.

 

IMPORTANT: Before you start, please follow Microsoft's article "User reported message settings" to learn how to properly prepare the custom mailbox.

1. Navigate to https://security.microsoft.com/userSubmissionsReportMessage.

2. Select either My organization's mailbox or Microsoft and my organization's mailbox.

3. Specify the mailbox address and click Save.

Policy_User_submissions.png

 

Processing User reported messages

To learn more about how to process, escalate and respond to employees about the suspicious emails they have reported, read this Microsoft article.

 

Frequently asked questions

What information is forwarded to Microsoft?

When you have configured to send the reported messaged to Microsoft, the complete email is forwarded as-is. The information whether the email was reported as phish or spam (junk) is also conveyed to Microsoft.

NOTE: the email is forwarded before it is optionally uploaded to Hoxhunt and enriched by Hoxhunt. Therefore, it will not include any enrichments introduced by Hoxhunt, such as a threat ratings by our threat analysts.

 

Can I monitor the emails the users are submitting to Microsoft?

Yes. Please refer to Microsoft article "Use mail flow rules to see what your users are reporting to Microsoft in Exchange Online".

 

I want my Security team to process user reported emails in Defender but don't want to send the emails to Microsoft. Is this possible?

This kind of scenario isn't natively supported by Microsoft. However, it may be possible to create mail flow rules to block Defender from sending the reported emails to Microsoft's dedicated email addresses.

  • junk@office365.microsoft.com
  • abuse@messaging.microsoft.com
  • phish@office365.microsoft.com
  • not_junk@office365.microsoft.com

IMPORTANT: Hoxhunt doesn't support or endorse using this scenario.

 

Can I distinguish emails reported via the Hoxhunt button from other user submissions?

Hoxhunt does not manipulate the emails that are forwarded to Microsoft, which means there's no way to know if an email was reported with Hoxhunt add-in by looking at the reported email in Threat Explorer / User reported messages.

 

Can I send reported emails to other email platforms?

We are currently not planning to enable platform reports directly from Hoxhunt to other email providers such as Gmail. The feature can only be used by Microsoft customers.

However, it is possible to send reported emails first to Defender, and from there to a custom mailbox. You can then further process the emails in the custom mailbox.

 

I want more information

Check out the documentation for user reported messages from Microsoft at: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/user-submission?view=o365-worldwide.

 

 

Appendix: Microsoft Automated Investigation and Response (AIR)

Introduction

In September 2019, Microsoft released Automated Investigation and Response (AIR) in Office 365 which allows your security team to create automated rules for incident management. With AIR, your team can create playbooks around different types of incidents which will help the team focus on the urgent cases while less urgent “informative” reports can be handled at a later stage.

By using AIR, security operations teams can increase their efficiency and effectiveness through automating tasks and workflows for known security threats. These threats can be automatically investigated and suitable playbooks can be set to await for approval, improving security responsiveness within the organization. These threats can be prioritized based on their informational severity helping the security operations team focus their efforts on specific alerts.

NOTE: Hoxhunt doesn't provide support for setting up or using Microsoft services like ATP and Defender. Please consult your Security and Microsoft teams for more information.

Read more about AIR: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/office-365-air?view=o365-worldwide

 

Licensing for AIR

One of the subscriptions:

  • Microsoft 365 E5

  • Microsoft 365 A5

  • Microsoft 365 E5 Security

  • Microsoft 365 A5 Security

  • Office 365 E5 plus Enterprise Mobility + Security E5 plus Windows E5

Please check all detailed requirements here: https://docs.microsoft.com/en-us/microsoft-365/security/mtp/mtp-configure-auto-investigation-response?view=o365-worldwidehttps://docs.microsoft.com/en-us/microsoft-365/security/mtp/mtp-configure-auto-investigation-response?view=o365-worldwide

 

How does AIR work?

Root analysis

Microsoft runs a root investigation on the reported emails, which include:

  • A determination about what type of threat it might be

  • Who sent it

  • Where the email was sent from (sending infrastructure)

  • Whether other instances of the email were delivered or blocked

  • An assessment from Microsoft analysts

  • Whether the email is associated with any known campaigns

  • etc.

Alert

You can view all alerts in the Security & Compliance center under Alerts > View alerts.

When an alert is triggered, a predetermined automated workflow sets into action and your security team is notified of the report. By default, the below alerts are auto investigated in AIR: 

  • A potentially malicious URL click was detected 
  • Email reported by user as phish 
  • Email messages containing malware removed after delivery  
  • Email messages containing phish URLs removed after delivery 
  • Suspicious email sending patterns detected 
  • User restricted from sending email 

Search and Investigate

Microsoft provides a list of recommended actions to take on the reported threats. Several search and investigation steps can be triggered:

  • Similar email messages are identified via email cluster searches.

  • The signal is shared with other platforms, such as Microsoft Defender for Endpoint.

  • A determination is made on whether any users have clicked through any malicious links in suspicious email messages.

  • A check is done across Exchange Online Protection (EOP) and (Microsoft Defender for Office 365) to see if there are any other similar messages reported by users.

  • A check is done to see if a user has been compromised. This check leverages signals across Office 365, Microsoft Cloud App Security, and Azure Active Directory, correlating any related user activity anomalies.

Remediate

Finally Microsoft can take a remediation step based on the information above.

  • Soft delete email messages or clusters

  • Block URL (time-of-click)

  • Turn off external mail forwarding

  • Turn off delegation

NOTE: Alternatively, the SOC can manually start an an automatic investigation from the Threat Explorer.
See more: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/automated-investigation-response-office?view=o365-worldwide#example-a-security-administrator-triggers-an-investigation-from-threat-explorer

Was this article helpful?

6 out of 8 found this helpful

Have more questions? Submit a request