Splunk SOAR

How to delete malicious email in all the company users' mailboxes?

drew19
Path Finder

Hi all,

is there a way to integrate with O365 and, given a malicious email (identified by subject and sender), search for it in all the mailboxes of all the users and then delete it?

I was looking for an action in the "EWS for Office 365 App" and in "MS Graph for Office 365" but I do not see any action able to do that. For instance, the "run query" actions require a precise mailbox to look into.

Thank you in advance.

0 Karma

phanTom
SplunkTrust
SplunkTrust

@drew19 if you can get the message id of the email from ANY inbox then you can just use the `delete email` action in the EWS app.

The message id is usually on the original email but depending how you report phishing you may not get the original id through so could run a query on 1 user's mailbox to find the id then pass into the delete action and as long as impersonation rights are there, AFAIK i should then delete all messages with that id in all mailboxes. 

Happy SOARing

----- If this helped fix it please mark as a solution to help others in the future -----

0 Karma

drew19
Path Finder

Hi @phanTom,

did you miss the last answer? Is there a way to understand if and how could we get all the email IDs related to a specific email (e.g. given a subject and a sender or pivoting on other elements - which ones in that case?).

Thank you in advance.

Andrea

0 Karma

drew19
Path Finder

Hi @phanTom ,

thank you for your reply.

 

This is not answering our question, so let me try to write it better.

Our target usecase is to:

1) Find all the users who have received an email with a particular subject/sender/string in the body and retrieving the related email IDs;

2) Delete such emails.

 

The (most important) point that seems not possible for now is the first one since when using the "run query" action from Exchange App you are required to specify the input field "email" that is the "User Mailbox to search in".
For this reason, we do not see any app/action for Phantom that could help us retrieving such IDs. Is there a way to do that?

0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...