Microsoft Defender Integration
The Microsoft Defender integration with Phin's Report-a-Phish button enables automatic submission of non-Phin reported emails to a configured Microsoft 365 Reported Message Destination email for analysis in Microsoft Defender XDR, requiring setup of the phishing button, enabling Microsoft Defender with a Reported Message Destination, and configuration within Phin's company-level Report Phishing Integration page.
Phin's Report Phishing Button Integration with Microsoft Defender
How Does it Work?
The Microsoft Defender integration allows you to include a "Reported Message Destination" email address in the Phin Report-a-Phish Integration. Adding this email will submit all non-Phin emails reported through the Report-a-Phish button directly to the Microsoft 365 Submission page.
Now you can automatically submit emails for analysis to Microsoft Defender without the need to forward reported emails to a designated inbox.
Prerequisites
- 1.Turn on the Phin Reporting Phishing Button for the companies that you want to submit emails from.
- 2.Enable Microsoft Defender for your Microsoft Tenant and configure a Reported Message Destination.
- 3.For more information on how to set this up, see Microsoft's documentation on configuring user-reported settings.
- 4.To learn more about Microsoft reporting tools, refer to the options for Microsoft reporting tools documentation.
- 5.For more information on Microsoft's Advanced Delivery, check out the Microsoft 365 Defender Advanced Delivery Guide.
How to Configure in Phin
This integration is configurable within a company-level Report Phishing Integration page. The steps to add this configuration are as follows:
- 1.Navigate to the Report Phishing Button Integration page.
- 2.Under Forwarding Addresses, you will see a new input section titled Microsoft Defender Address.
- 3.Add the same email address you used for your Reported Message Destination email forwarding address in Microsoft and click "Save Contacts".
- 4.Now, emails reported by employees using the Report Phishing Button will be submitted to Microsoft Defender and available in the Submission section.
Automatically Submit Reported Emails for Analysis
When you enable the "Submit to Microsoft Defender for Analysis" checkbox, reported emails will automatically be submitted to Microsoft Defender XDR. Below are articles directly from Microsoft pertaining to the submission and analysis process:
- https://learn.microsoft.com/en-us/defender-office-365/submissions-admin
- https://learn.microsoft.com/en-us/defender-xdr/submission-guide
Important Notes:
- For those who enabled the Report Phishing Integration prior to 9/24/2024, you must disconnect and reconnect it to consent to updated permissions before the "Submit for Analysis" checkbox becomes available. You do NOT need to reinstall the Manifest in your tenants.
- The configuration of the "Submit for Analysis" feature is not dependent on having the "Defender Address" feature configured/enabled. These two features are mutually exclusive.
- As of now, only the header and body contents of a reported email are submitted for analysis; attachment data is removed due to file size limitations.
What Does Defender Do and What Does Phinbox IQ Do?
Microsoft Defender scans the email and uses it to improve itself. However, it does not perform remediation actions such as:
- Checking if anyone else received the email
- Checking if users clicked on any links
- Blocking the domain
These remediation actions can be performed using Phinbox IQ. Phinbox is designed for hands-on management of user-reported tickets and supports threat hunting to determine if emails are malicious, using the tools provided by Phinbox.
Knowledge Base
Phin updates its Knowledge Base with new features with every release. You can read about the platform and its updates at https://www.phinsec.io/knowledge.
Feedback is encouraged to help drive Phin's development direction. All ideas are welcome.
If you need help or have an idea, you can submit it through the provided Knowledge Base link.