Introduction
Helping you to take the human layer of cyber intelligence to the next level we are now allowing you to update your MS defender tenant blocklists directly from PhishArm. This feature allows you to prevent harmful or unsolicited emails from reaching your users' mailboxes. It needs an integration with MS defender tenant wherein PhishArm adds an app to your Microsoft tenant's app list. Once you provide the required access the capability is up and running. Here are the steps you can take to use the capability.
Pre-requisites:
You can use this capability if you have MS defender tenant
The admin or the user authorizing the app for integration must have either of the following access levels:
Global Admin
Security Admin
1. Integrating with MS defender
Step 1: Login to Right Hand Cybersecurity's cyberready portal and navigate to --> PhishArm --> Reported Emails --> Click on Investigate
Step 2: In the investigate right side drawer, click on Mark as Resolved. In the drawer screen you will notice the option to integrate with MS defender. Click on "configure MS Defender" link as highlighted below
Step 3: This will open a modal that provides some guidance on the feature and pre-requisites. Click on "Connect with MS defender" button. This will direct you to Microsoft Oauth flow.
Step 4: Login to you Microsoft account and accept the permissions requested by the Right-hand app
Step 5: Once the integration is done you will be able to notice that "+ Add Blocklist" button has become active in the mark as resolved screen
After integration the "+ Add Blocklist" button will be active only when the reported email is marked as malicious. When it is safe or uncategorized the button will be disabled.
Assigning the administrator role to the app in your Microsoft account
Step 1: From Azure portal home find the Entra roles and administrators
service or directly to Microsoft Entra roles and administrators
Step 2: Search for Exchange Admin
Step 3: Open the Exchange Administrator role page and click on Add assignments
Step 4: Select member(s) > Find Right-Hand HRM Application and Select the App
Step 5: Enter justification and Assign
Step 6: You can verify the new assignment from the role page
Removing the Integration
If for some reason you want to remove the integration with MS defender you can do so by clicking on "click to remove connection" and then clicking on "Delete Connection" button
Step 2: Click on "Delete connection" button
Submitting Observables for blocklisting
Step 1: Go to any reported email that you have identified as malicious/suspicious and has observables(urls, domains, sender email) that you want to blocklist --> Click on Mark as resolved and in the second drawer -> Click on "+ Add Blocklist"
Step 2: Selecting the observables to be sent for blocklsting
+malicious URLs - will add all the malicious URLs to the table below which can be sent for blocklisting
+suspicious URLs - will add all the suspicious URLs to the table below which can be sent for blocklisting
+Malicious Domains - will add all the malicious domains to the table below which can be sent for blocklisting
+Suspicious Domains - will add all the suspicious domains to the table below which can be sent for blocklisting
+Sender Email - will add the sender email to be sent for bloclisting
Clear - This will clear the list that has been selected by you using the above actions
Currently only the URLs/Domains, which received some malicious or suspicious verdicts from the aggregated threat intelligence of VirusTotal, are allowed to be added to the list.
Any URLs that are uncategorized/unscanned/safe/in-progress cannot be sent for blocklisting from PhishArm. This is to prevent any unwarranted use of the functionality that could cause a potential business disruption.
For senders, also we allow only the sender email to be blocklisted from the platform to prevent mass block of a valid domain due to some possible mistake.
Step 3: Once the observables are selected, make the changes to configuration as:
Expire In - The number of days after which you want to expire the blocklist entry. Pre selected options are available as 7 days, 30 days, 60 days, 90 days and never expire
Note - Any Note you would like to add to the blocklist request
Step 4: Click on the bocklist button
Step 5: Once Blocklisted You will see the feedback in the Mark as Resolved drawer on the blocklist request. You can also check the history to see the blocklist requests