Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to delete malicious email in all the company users' mailboxes?

drew19
Path Finder
‎09-12-2022 04:00 AM

Hi all,

is there a way to integrate with O365 and, given a malicious email (identified by subject and sender), search for it in all the mailboxes of all the users and then delete it?

I was looking for an action in the "EWS for Office 365 App" and in "MS Graph for Office 365" but I do not see any action able to do that. For instance, the "run query" actions require a precise mailbox to look into.

Thank you in advance.

0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎09-12-2022 06:44 AM

@drew19 if you can get the message id of the email from ANY inbox then you can just use the `delete email` action in the EWS app.

The message id is usually on the original email but depending how you report phishing you may not get the original id through so could run a query on 1 user's mailbox to find the id then pass into the delete action and as long as impersonation rights are there, AFAIK i should then delete all messages with that id in all mailboxes. 

Happy SOARing

----- If this helped fix it please mark as a solution to help others in the future -----

0 Karma
Reply

drew19
Path Finder
‎09-28-2022 03:42 AM

Hi @phanTom,

did you miss the last answer? Is there a way to understand if and how could we get all the email IDs related to a specific email (e.g. given a subject and a sender or pivoting on other elements - which ones in that case?).

Thank you in advance.

Andrea

0 Karma
Reply

drew19
Path Finder
‎09-12-2022 09:11 AM

Hi @phanTom ,

thank you for your reply.

 

This is not answering our question, so let me try to write it better.

Our target usecase is to:

1) Find all the users who have received an email with a particular subject/sender/string in the body and retrieving the related email IDs;

2) Delete such emails.

 

The (most important) point that seems not possible for now is the first one since when using the "run query" action from Exchange App you are required to specify the input field "email" that is the "User Mailbox to search in".
For this reason, we do not see any app/action for Phantom that could help us retrieving such IDs. Is there a way to do that?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...