LogRhythm-Labs / PIE

:mailbox: The Phishing Intelligence Engine - An Active Defense PowerShell Framework for Phishing Defense with Office 365
MIT License
180 stars 54 forks source link

Using the O365 "Report Phishing" button #13

Open wattsline opened 6 years ago

wattsline commented 6 years ago

Have gotten PIE to work using the O365 MS report phish button rather than the Logrhythm button. This reduced confusion with our users and made our O365 admins happy. Thought I would share.

1) In O365 admin portal, added the PIE email address to the reported phishing notification. This places copies of the emails in the inbox with a recipient of "phish@office365.microsoft.com", not the PIE email account. The reported email is still an attachment and is still processed by the scheduled task.

Minor changes to Invoke-O365Trace.ps1:

2) Added new variable: $notifyAddress = "phish@office365.microsoft.com" just under the "$socMailbox" definition. 3) Substituted "$notifyAddress" for "$socMailbox" in these lines ( @~line 270)

    $phishTrace = Get-MessageTrace -RecipientAddress $notifyAddress -StartDate $inceptionDate -EndDate $date | Select MessageTraceID,Received,*Address,*IP,Subject,Status,Size,MessageID | Sort-Object Received
    $phishTrace | Export-Csv $tmpLog -NoTypeInformation
    type $tmpLog | findstr -i $notifyAddress >> $phishLog
    $reportPhish = type $tmpLog | findstr -i $notifyAddress

4) In the O365 Dashboard, changed the Lucene code in the "Phishing Message Reported" widget to the "phish@office365.microsoft.com" address.
5) Add "phish@office365.microsoft.com" to AIE Phishing Rules criteria Recipient values.

That's it!

gfoss commented 6 years ago

This is perfect - just tested it out and plan to add these updates to the official code base later this week. Really cool solution - thank you!

Jt3kt commented 6 years ago

This is nice, as you should be able to collect reports in parallel, if you do have your own phish alert button along with the 365 Mark as phishing.

wattsline commented 5 years ago

In Exchange Admin:

On Dec 4, 2018, at 2:40 PM, DPSMikeS notifications@github.com wrote:

I have completed everything except I cannot find where to set the PIE address in the O365 Admin Portal. Any help?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/LogRhythm-Labs/PIE/issues/13#issuecomment-444230694, or mute the thread https://github.com/notifications/unsubscribe-auth/AqqCGGnOBIq4MziZ4GLFRySVqKDu7awLks5u1s-pgaJpZM4YM5vA.

Ken Watts wattsline@gmail.com

fm407 commented 5 years ago

Is this still a valid workaround? seems like its not working anymore