Using the O365 "Report Phishing" button #13
Description
Have gotten PIE to work using the O365 MS report phish button rather than the Logrhythm button. This reduced confusion with our users and made our O365 admins happy. Thought I would share.
- In O365 admin portal, added the PIE email address to the reported phishing notification. This places copies of the emails in the inbox with a recipient of "[email protected]", not the PIE email account. The reported email is still an attachment and is still processed by the scheduled task.
Minor changes to Invoke-O365Trace.ps1:
- Added new variable: $notifyAddress = "[email protected]" just under the "$socMailbox" definition.
- Substituted "$notifyAddress" for "$socMailbox" in these lines ( @~line 270)
$phishTrace = Get-MessageTrace -RecipientAddress $notifyAddress -StartDate $inceptionDate -EndDate $date | Select MessageTraceID,Received,*Address,*IP,Subject,Status,Size,MessageID | Sort-Object Received
$phishTrace | Export-Csv $tmpLog -NoTypeInformation
type $tmpLog | findstr -i $notifyAddress >> $phishLog
$reportPhish = type $tmpLog | findstr -i $notifyAddress
- In the O365 Dashboard, changed the Lucene code in the "Phishing Message Reported" widget to the "[email protected]" address.
- Add "[email protected]" to AIE Phishing Rules criteria Recipient values.
That's it!