Fastest and best approach to react to phishing mails hitting an organization

%3CLINGO-SUB%20id%3D%22lingo-sub-2043345%22%20slang%3D%22en-US%22%3EFastest%20and%20best%20approach%20to%20react%20to%20phishing%20mails%20hitting%20an%20organization%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2043345%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20is%20the%20fastest%20and%20correct%20approach%20to%20react%20to%20phishing%20emails%20hitting%20an%20organization%3F%20What%20can%20and%20should%20an%20admin%20do%2C%20as%20soon%20as%20he%20sees%20a%20phishing%20email%20in%20his%20Inbox%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20are%20two%20use-cases%20I%20would%20like%20to%20consider%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3E%3CSTRONG%3EAs%20an%20admin%2C%20I%20want%20to%20quickly%20see%20and%20react%20to%20phishing%20mails.%3C%2FSTRONG%3E%20As%20of%20now%2C%20I%20can%20use%20the%20Threat%20Explorer%20to%20search%20e.g.%20for%20the%20subject%20of%20an%20email%2C%20and%20then%20trigger%20a%20hard%20delete.%20This%20feels%20laborious.%20There%20also%20seem%20to%20be%20mutiple%20backends%20where%20alerts%2C%20actions%2C%20incidents%20and%20investigations%20are%20displayed%20(security.microsoft.com%20and%20protection.office.com).%20What%20is%20the%20best%20approach%20here%3F%3C%2FLI%3E%3CLI%3E%3CSTRONG%3EAs%20a%20user%2C%20I%20want%20to%20notify%20the%20admin%20about%20phishing.%3C%2FSTRONG%3E%20This%20seems%20to%20be%20possible%20with%20the%20%22Report%20message%22%20add-in.%20However%2C%20as%20an%20admin%20I%20see%20just%20reports%20-%20there%20is%20no%20way%20to%20react%20like%3A%20%22Yes%2C%20this%20is%20phishing%22%20or%20%22No%2C%20this%20is%20not%20phishing.%20You%20can%20click%20on%20the%20links%22%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEdit%3A%20further%20outlined%20use-cases.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2043345%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%20center%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2044814%22%20slang%3D%22en-US%22%3ERe%3A%20Fastest%20and%20best%20approach%20to%20react%20to%20phishing%20mails%20hitting%20an%20organization%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2044814%22%20slang%3D%22en-US%22%3EHi%2C%20this%20should%20help%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Ftuning-anti-phishing%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Ftuning-anti-phishing%3Fview%3Do365-worldwide%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EAs%20for%20the%20Report%20Message%20add-in%20the%20message%20will%20be%20analyzed%20by%20Microsoft.%20You%20only%20get%20a%20%E2%80%9Dheads-up%E2%80%9D%20so%20you%20can%20review%20messages%20that%20users%20report%20to%20Microsoft.%3C%2FLINGO-BODY%3E
Contributor

What is the fastest and correct approach to react to phishing emails hitting an organization? What can and should an admin do, as soon as he sees a phishing email in his Inbox?

 

There are two use-cases I would like to consider:

 

  • As an admin, I want to quickly see and react to phishing mails. As of now, I can use the Threat Explorer to search e.g. for the subject of an email, and then trigger a hard delete. This feels laborious. There also seem to be mutiple backends where alerts, actions, incidents and investigations are displayed (security.microsoft.com and protection.office.com). What is the best approach here?
  • As a user, I want to notify the admin about phishing. This seems to be possible with the "Report message" add-in. However, as an admin I see just reports - there is no way to react like: "Yes, this is phishing" or "No, this is not phishing. You can click on the links"

 

Edit: further outlined use-cases.

1 Reply
Hi, this should help https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/tuning-anti-phishing?vie...

As for the Report Message add-in the message will be analyzed by Microsoft. You only get a ”heads-up” so you can review messages that users report to Microsoft.
www.000webhost.com