Field Notes: Dealing with Phishing

Hackers turn to online scams to steal your personal information, because of this phishing prevention has become critical for every organization. Phishing emails may appear to be legitimate. In today’s world, you will likely be subjected to a phishing attack, meaning you’ll need to be aware of the warning signs and know how to handle the situation.

For that, you will need to have a proper action plan in place, so let’s take a look at what can be done.

Step 1: Reporting of Phishing Emails

We have different possibilities of how the emails are being reported as phishing.

  • Report message Add-in from Outlook: user report message as Phish.
  • Admins can observe a phishing message from all the present reports or alerts.

Step 2: User investigation

We need to understand what actions the end-user took after receiving the phishing emails.

Audit Log Search – Was the Email opened by the end-user?

We will need to check the audit logs and check the parameter „Accessed mailbox Items”

Go into the list and check for the Internet Message ID of the phishing email.




        “FolderItems”: [


                “InternetMessageId”: “<>”



                “InternetMessageId”: “<>”




        “Path”: “\\Inbox\\Sync Issues”


To be easier to find, export the audit result into a CSV file, and search for the Message-ID in there. We will be able to see with this step if the end-user accessed the phishing email.

Check if there were any replies to the phishing emails

Perform message traces

Search for replies In Explorer

You can also search for replies in Explorer. You filter on recipient and also on subject. The results will point to the fact the user has replies to the phishing email.

Check the user clicks

Check which user clicked on the link present in the phishing email.

Go to the Explorer and search for the email.

Once you find the affected email, go to the URLs Tab and check the links. There you will be able to check what links are pesent within the phishing email and which of the present URLs were delivered or junked.

Click on the link and you will receive an overview of where that link has been found. In the table below the graf, you will be able to find the phishing email and also any other emails, where this URL was found by the Safe Links.

!Keep in mind that this is also a way to check if the user replied to the phishing email, as the reply to the message will also contain the phishing URL.

Next, go on to the Clicks Tab. There you will be able to find a list of users that have clicked on the phishing link present in the email.

Audit logs – Did the user provide their credentials?

Check the Audit Logs for any unsual mailbox login.

From the activities list, make sure you check „User signed in to mailbox” and check the results for any unsual sign-in.

Investigate recipient with Explorer

We also have the possibility to investigate our affected recipients when dealing with Phishing emails.

Go to the Explorer page and search for the phishing email.

Select the email and from the actions tab choose „Investigate recipient”. This action will trigger and automatic investigation, that will check the recipient for any compromised signals.

The investigation will run in the background and once this is complete, you will be able to check if the end user was compromised.

Step 3: Email Investigation

The first thing that we need to check when starting an email investigation is the header.

We will need to check for the basics and there are 2 easy ways of checking this information. The first one is to manually take the header from the email and paste it into the Message Header Analyser tool.

Message Header Analyzer (

Where is the email coming from – understand the flow

What are the hoops the email is taking? Where is the email generating from?

Is the email coming from internal or external?

Anonymus – represents an email coming from outside the orgranization.

Internal – represents an email coming from inside the organization (If internal, consider that this account could be compromised and proceed to remediate the compromised account)

Check the IP Address

In the X-Forefront-Antispam-Report you can find information about the connecting IP address. In case you decide to block the IP address, this is the one that you will need to block.

Check the sender and the return path

Return-Path: See if the email address in this entry matches the email address in the From: entry. They typically will not match for mass emailers like advertisers or spammers. The Return-Path: email address is used when an email cannot be delivered to its recipients, and it “bounces back”. Spammers don’t want all the undelivered email to end up in their inboxes!

Further fields that need to be checked from the message header to understand why this emails has been marked as phish:

Authentication-results: Contains information about SPF, DKIM, and DMARC (email authentication) results.

X-Forefront-Antispam-Report: Contains information about the message and about how it was processed.

X-Microsoft-Antispam: Contains additional information about bulk mail and phishing.

Check the Sender Authentication


What value can be found there?


What value can be found there?

Investigating Phishing Email with Explorer

It is also very important to understand where the email was sent, how many mailboxes were actually affected. Do we have one isolated case leading to a targeted phishing attack, or do we have way more present all around the organization.

Searching for the phishing email with explorer will give us exactly that information.

After we have identified a phishing email, we can search for it, filtering the sender or the subject and checking this way how many recipients in the organiation have received this email.

Step 4: Investigate your device

In case of a phishing email that contain attachments, you might also want to check the affected devices, if the attachment was download locally.

Using Microsoft Defender for Endpoint or any other endpoint protection, try to investigate if the downloaded attachment has done any changes to the system.

Collect the investigation package

Checking the investigation package, you will verify the current state of the deivce and also gain more visibility into the techniques and tools that were used by the attacker.

Go to the action center and download the pachage collection found under „Status”

Run an antivirus scan

Initiate the antivirus scan remotely to check if the device has been compromised.

Restrict app execution on the device

Trigger an automated investigation

If necessary, you can begin an automated investigation on the device. Any other similar or related activities will be added to an ongoing Automated investigation before that investigation is completed. In addition, if the same hazard is detected on other devices, the investigation is expanded to include such devices.

Isolate the device

Step 5: Remediation

Automated Investigation

Check the investigation started during the investigation phase, review all the information. Based on all the above steps, we will need to take remediation actions:

Block URLs

Inside of the Security Center, go to Tenant Allow and Block Lists and block the URLs that were investigated and found suspicios during the investigation. You will need to manage URL blocklist.

Make sure you select the URL tab. Make sure you also take advantage of the „Never expire” functionality if needed.

Block files

You can block file hashes in case of attachments were caught

You specify files by using the SHA256 hash value of the file. To find the SHA256 hash value of a file in Windows, run the following command in a Command Prompt:

certutil.exe -hashfile “<Path>\<Filename>” SHA256

Block IP addresses and senders

Using the connection filter inside the anti-spam policy, you can choose to block certain IP addresses that were found during the investigation.

Submit the email, URL or attachment to Microsoft for review

Submitting the suspicious Email, URL or Attachment found during the investigation

Perform a Seek and Destroy procedure

  • Search for Email
  • Preview
  • Contact Recipients
  • Action: Delete Email


We need to search for the email in the whole organization, specially if the phishing attack targeted multiple users.

User the compliance search from the compliance center to search for the email and specify keyword or any other filters to indentify the email


When the search is complete, preview the emails. Make sure relevant data does not get deteled.

User notification

After this step, decide whether you need to inform the end users that some of their emails will be deleted. This is a relevant step depending on different data protection regulations.

You can notify all the recipients using the explorer by selecting all the emails found and going to the actions tab.

Choose contact recipients and an email message will open with all the recipients in the BCC. Create an informational template that you can use to inform your users that emails will be deteled.


Decide whether you want to soft or hard delete the phishing emails from your organization using the Explorer.

This will trigger a remediation action, where you can determine the severity and start the deletion process.

There you have it! Some best practices onto how to deal with phishing attacks.