All Collections
MS defender blocklist using PhishArm Integration
MS defender blocklist using PhishArm Integration
Written by Shailanchal Uniyal
Updated over a week ago


Helping you to take the human layer of cyber intelligence to the next level we are now allowing you to update your MS defender tenant blocklists directly from PhishArm. This feature allows you to prevent harmful or unsolicited emails from reaching your users' mailboxes. It needs an integration with MS defender tenant wherein PhishArm adds an app to your Microsoft tenant's app list. Once you provide the required access the capability is up and running. Here are the steps you can take to use the capability.


  • You can use this capability if you have MS defender tenant

  • The admin or the user authorizing the app for integration must have either of the following access levels:

    • Global Admin

    • Security Admin

1. Integrating with MS defender

Step 1: Login to Right Hand Cybersecurity's cyberready portal and navigate to --> PhishArm --> Reported Emails --> Click on Investigate

Step 2: In the investigate right side drawer, click on Mark as Resolved. In the drawer screen you will notice the option to integrate with MS defender. Click on "configure MS Defender" link as highlighted below

Step 3: This will open a modal that provides some guidance on the feature and pre-requisites. Click on "Connect with MS defender" button. This will direct you to Microsoft Oauth flow.

Step 4: Login to you Microsoft account and accept the permissions requested by the Right-hand app

Step 5: Once the integration is done you will be able to notice that "+ Add Blocklist" button has become active in the mark as resolved screen

After integration the "+ Add Blocklist" button will be active only when the reported email is marked as malicious. When it is safe or uncategorized the button will be disabled.

Assigning the administrator role to the app in your Microsoft account

Step 1: From Azure portal home find the Entra roles and administrators service or directly to Microsoft Entra roles and administrators

Step 2: Search for Exchange Admin

Step 3: Open the Exchange Administrator role page and click on Add assignments

Step 4: Select member(s) > Find Right-Hand HRM Application and Select the App

Step 5: Enter justification and Assign

Step 6: You can verify the new assignment from the role page

Removing the Integration

If for some reason you want to remove the integration with MS defender you can do so by clicking on "click to remove connection" and then clicking on "Delete Connection" button

Step 2: Click on "Delete connection" button

Submitting Observables for blocklisting

Step 1: Go to any reported email that you have identified as malicious/suspicious and has observables(urls, domains, sender email) that you want to blocklist --> Click on Mark as resolved and in the second drawer -> Click on "+ Add Blocklist"

Step 2: Selecting the observables to be sent for blocklsting

+malicious URLs - will add all the malicious URLs to the table below which can be sent for blocklisting

+suspicious URLs - will add all the suspicious URLs to the table below which can be sent for blocklisting

+Malicious Domains - will add all the malicious domains to the table below which can be sent for blocklisting

+Suspicious Domains - will add all the suspicious domains to the table below which can be sent for blocklisting

+Sender Email - will add the sender email to be sent for bloclisting

Clear - This will clear the list that has been selected by you using the above actions

Currently only the URLs/Domains, which received some malicious or suspicious verdicts from the aggregated threat intelligence of VirusTotal, are allowed to be added to the list.

Any URLs that are uncategorized/unscanned/safe/in-progress cannot be sent for blocklisting from PhishArm. This is to prevent any unwarranted use of the functionality that could cause a potential business disruption.

For senders, also we allow only the sender email to be blocklisted from the platform to prevent mass block of a valid domain due to some possible mistake.

Step 3: Once the observables are selected, make the changes to configuration as:

  • Expire In - The number of days after which you want to expire the blocklist entry. Pre selected options are available as 7 days, 30 days, 60 days, 90 days and never expire

  • Note - Any Note you would like to add to the blocklist request

Step 4: Click on the bocklist button

Step 5: Once Blocklisted You will see the feedback in the Mark as Resolved drawer on the blocklist request. You can also check the history to see the blocklist requests

Did this answer your question?