Introduction
Helping you to take the human layer of cyber intelligence to the next level we are now allowing you to update your MS defender tenant blocklists directly from PhishArm. This feature allows you to prevent harmful or unsolicited emails from reaching your users' mailboxes. It needs an integration with MS defender tenant wherein PhishArm adds an app to your Microsoft tenant's app list. Once you provide the required access the capability is up and running. Here are the steps you can take to use the capability.
Pre-requisites:
You can use this capability if you have MS defender tenant
The admin or the user authorizing the app for integration must have the following access levels:
Global Admin
1. Integrating with MS defender
Step 1: Login to Right Hand Cybersecurity's cyberready portal and navigate to --> PhishArm --> Reported Emails --> Click on Investigate
Step 2: In the investigate right side drawer, click on Mark as Resolved. In the drawer screen you will notice the option to integrate with MS defender. Click on "configure MS Defender" link as highlighted below
Step 3: This will open a modal that provides some guidance on the feature and pre-requisites. Click on "Connect with MS defender" button. This will direct you to Microsoft Oauth flow.
Step 4: Login to you Microsoft account and accept the permissions requested by the Right-hand app
Step 5: Once the integration is done you will be able to notice that "+ Add Blocklist" button has become active in the mark as resolved screen
After integration the "+ Add Blocklist" button will be active only when the reported email is marked as malicious. When it is safe or uncategorized the button will be disabled.
Assign custom role groups to the application using service principals
Step 1: Create custom role group. To create custom role group in Exchange Online. Visit Exchange Online Admin Roles
Step 2: Click on Add role group.
Step 3: Type a Name for the role group. Click on Next
Step 4: Select these three permissions on Permission page and click on Next button.
Transport Hygiene
Tenant AllowBlockList Manager
Step 5: On Admins page click next button, no assignment needed (Assingment will be done later using PowerShell)
Step 6: Review these Permissions and click on Add role group.
Step 7: Note down the Role Group Name, It will be required for the next step. Click on Done button.
Step 8: Setup and Connect Exchange Online PowerShell
Install Exchange Online Management module by running following command in PowerShell
Install-Module -Name ExchangeOnlineManagement
Connect to Exchange Online using following command
Connect-ExchangeOnline
Step 9: Sign in using Exchange Administrator Account or Any user who has been assigned Organizational Management Role and Role Management Permission.
Step 10: Confirm Login is completed
Step 11: Register App with Exchange Online
Find App ID, Object ID and App Name from Enterprise Apps in Entra Admin Portal. Search for Right-Hand HRM. Click on Right-Hand HRM app.
All required fields will be visible
Step 12: Run following command in PowerShell and fill the placeholders with Name, Application ID and Object ID.
New-ServicePrincipal -DisplayName <App Name> -AppId <Application ID> -ServiceId <Service ID>
Run following command in PowerShell, Fill in the place holder with custom role group name.
$SP = Get-ServicePrincipal -Identity "Right-Hand HRM"
Add-RoleGroupMember -Identity "<Name of custom role group>" -Member $SP.Identity
Step 13: Verify custom role group assignment to App
Visit the Admin Roles page of Exchange Online
Click on Role Group created earlier
Click on Assigned Tab
Verify Right-Hand HRM is visible
It takes around 1-2 hours to propagate the role updates and reflect properly.
Removing the Integration
If for some reason you want to remove the integration with MS defender you can do so by clicking on "click to remove connection" and then clicking on "Delete Connection" button
Step 2: Click on "Delete connection" button
Submitting Observables for blocklisting
Step 1: Go to any reported email that you have identified as malicious/suspicious and has observables(urls, domains, sender email) that you want to blocklist --> Click on Mark as resolved and in the second drawer -> Click on "+ Add Blocklist"
Step 2: Selecting the observables to be sent for blocklsting
+malicious URLs - will add all the malicious URLs to the table below which can be sent for blocklisting
+suspicious URLs - will add all the suspicious URLs to the table below which can be sent for blocklisting
+Malicious Domains - will add all the malicious domains to the table below which can be sent for blocklisting
+Suspicious Domains - will add all the suspicious domains to the table below which can be sent for blocklisting
+Sender Email - will add the sender email to be sent for bloclisting
Clear - This will clear the list that has been selected by you using the above actions
Currently only the URLs/Domains, which received some malicious or suspicious verdicts from the aggregated threat intelligence of VirusTotal, are allowed to be added to the list.
Any URLs that are uncategorized/unscanned/safe/in-progress cannot be sent for blocklisting from PhishArm. This is to prevent any unwarranted use of the functionality that could cause a potential business disruption.
For senders, also we allow only the sender email to be blocklisted from the platform to prevent mass block of a valid domain due to some possible mistake.
Step 3: Once the observables are selected, make the changes to configuration as:
Expire In - The number of days after which you want to expire the blocklist entry. Pre selected options are available as 7 days, 30 days, 60 days, 90 days and never expire
Note - Any Note you would like to add to the blocklist request
Step 4: Click on the bocklist button
Step 5: Once Blocklisted You will see the feedback in the Mark as Resolved drawer on the blocklist request. You can also check the history to see the blocklist requests
