General
This rule compares emails in Office365 with the data in your MISP source. If an email is flagged with an attachment that is known in MISP, an alarm is raised.
Rationale
The MISP source serves as a repository of indicators that indicate malicious behavior. Such details are obtained from research into previous attacks on other organizations. Exchanging that data ensures that new similar attacks are detected in a timely manner. By mixing the data with logs in the Microsoft tenant, detection is active and Attic helps with rapid incident handling.
Attic currently supports the following MISP sources:
Z-CERT | IBD from VNG | FERM Rotterdam |
Use of these sources is only permitted for the intended target group, which Attic will validate per customer.
Manual follow-up
Follow these steps to follow up on this detection. If you have an Attic IR Strip card, you can call on our experts for this.
- Open the Exchange admin portal https://admin.exchange.microsoft.com/
- Go to Mail Flow > Message Trace
- Start a new Trace
- Enter the NetworkMessageID from the Attic alarm in the Message ID field
- Click on Search
- Examine the email.
- Check whether the email has been delivered to the mailbox. If yes: Assess whether the recipient opened the attachment. If yes: Check the system on which this happened for malware and take appropriate action.
- Collect data about the email to see if more similar emails have been received that require action.
Comments
0 comments
Please sign in to leave a comment.