Splunk SOAR

How to delete malicious email in all the company users' mailboxes?

drew19
Path Finder

Hi all,

is there a way to integrate with O365 and, given a malicious email (identified by subject and sender), search for it in all the mailboxes of all the users and then delete it?

I was looking for an action in the "EWS for Office 365 App" and in "MS Graph for Office 365" but I do not see any action able to do that. For instance, the "run query" actions require a precise mailbox to look into.

Thank you in advance.

0 Karma

phanTom
SplunkTrust
SplunkTrust

@drew19 if you can get the message id of the email from ANY inbox then you can just use the `delete email` action in the EWS app.

The message id is usually on the original email but depending how you report phishing you may not get the original id through so could run a query on 1 user's mailbox to find the id then pass into the delete action and as long as impersonation rights are there, AFAIK i should then delete all messages with that id in all mailboxes. 

Happy SOARing

----- If this helped fix it please mark as a solution to help others in the future -----

0 Karma

drew19
Path Finder

Hi @phanTom,

did you miss the last answer? Is there a way to understand if and how could we get all the email IDs related to a specific email (e.g. given a subject and a sender or pivoting on other elements - which ones in that case?).

Thank you in advance.

Andrea

0 Karma

drew19
Path Finder

Hi @phanTom ,

thank you for your reply.

 

This is not answering our question, so let me try to write it better.

Our target usecase is to:

1) Find all the users who have received an email with a particular subject/sender/string in the body and retrieving the related email IDs;

2) Delete such emails.

 

The (most important) point that seems not possible for now is the first one since when using the "run query" action from Exchange App you are required to specify the input field "email" that is the "User Mailbox to search in".
For this reason, we do not see any app/action for Phantom that could help us retrieving such IDs. Is there a way to do that?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...