Leverage Your Microsoft Stack to Shut Down Phishing Campaigns in Seconds

Phishing attacks continue to be a major threat to organizations of all sizes, with cybercriminals becoming increasingly sophisticated in their methods. As a result, security teams are faced with the daunting task of investigating and responding to a growing number of phishing alerts. Fortunately, automation is emerging as a powerful tool to help these teams streamline their workflows, increase efficiency, and improve response times. By leveraging automation, security teams can rapidly investigate and remediate phishing attacks, reducing the risk of data breaches and other security incidents. In this blog post, we’ll explore how automation between a suite of Microsoft tools can be used to investigate and respond to phishing alerts.

In this example, we’re reviewing a suspicious email forwarded to the SOC by an employee. In the event overview, we can see the original email contained as a .eml file:

Smart SOAR Screenshot: Event details for a suspicious email forwarded by an employee.

On ingestion, the original email content from the .eml file is extracted and uploaded to the event overview, shown below:

Smart SOAR Screenshot: extracted email contents

Other information, such as the recipient, sender, original attachment, and email header information are also extracted to be used in the investigation.

The Playbook

Smart SOAR Screenshot: Microsoft phishing playbook overview

Using Office 365, Azure Active Directory, 365 Defender, Defender for Endpoint, Microsoft Sentinel, and Intune, we can collect information related to the recipient, sender, device, and file that will help us determine the right next steps.

From Azure Active Directory, we can pull in the activity logs of the employee who reported the email. The playbook task compiles the category of action, the time it was taken, and the result (success or failure):

Smart SOAR Screenshot: Activity logs of employee from Azure Active Directory

From Microsoft 365 Defender, we can search for other emails sent to this user. Here we’ve included the timestamp, sender email address, sender IPv4, recipient email address, subject line, and internet message ID:

Smart SOAR Screenshot: Phishing investigation with Microsoft 365 Defender

As you can see, there are two other suspicious emails from the same sender. This tells us that a campaign is underway.

As mentioned above, the original email contained a file. The hash for this file can be used to search for other devices that may have received this email:

Smart SOAR Screenshot: Get host by hashes in defender

Here we can see the ID, DNS name, and last IP address for potentially affected devices:

Smart SOAR Screenshot: Telemetry of potentially affected devices

Then, we can run a search in Microsoft Sentinel for any related security events. We’re looking for events within the last 24 hours from any computer returned by the query above:

Smart SOAR Screenshot: Search host related incidents in Microsoft Sentinel

Finally, we can look for the device’s compliance state in Microsoft Intune. In this case, the device has not violated any of our policies:

Smart SOAR Screenshot: Device compliance info in Microsoft Intune

The Analysis

Now we’ll take a look at the data displayed in the incident overview. We’ll make inferences from it and decide how to proceed. First, we’ll take a look at the incident notes, which shows us a summary of the actions that have been completed by the playbook and what actions are outstanding. We can see that the triage process has been completed and that there are pending tasks waiting for review:

Smart SOAR Screenshot: Phishing incident notes

Additionally, within the incident notes, the email authentication results have been collected. Here we can see that the DKIM and SPF checks have passed:

Smart SOAR Screenshot: Phishing incident notes

Further down in the incident overview, we see the data collected by the incident playbook. From Azure Active Directory, we have information on the user and a list of recent activities including the action, time, and result. All of these actions look expected for the user, so we can’t conclude there is a sign of compromise:

Smart SOAR Screenshot: User activity logs in Azure Active Directory

To determine if this is a single email or part of a larger campaign, we search for other emails in 365 Defender and see two with similar subject lines. This means that this is likely a persistent threat.

Smart SOAR Screenshot: Search for other mails in MS 365 Defender

Finally, we search Defender for Endpoint for other devices that may have received the email, and check Microsoft Sentinel for any Security Events related to these devices.

Smart SOAR Screenshot: Search on Defender for Endpoint

Smart SOAR Screenshot: MS Sentinel search


Based on these results we can deduce that it is a campaign targeting one user. Since the email was forwarded to us and we aren’t seeing suspicious activity on the activity logs, we will not take any serious response actions like resetting the user’s account or device. Instead, we will delete the emails from their inbox and block the sender.

Smart SOAR Screenshot: Phishing remediation tasks


The playbook used six Microsoft tools to gather contextual information on a phishing alert, including user activity logs, related security events, and the affected device’s compliance state. This information is automatically collected and displayed to the analyst in under 60 seconds from when the incident is created in D3. Multiplied across the astronomical number of phishing alerts that teams regularly receive, this can save thousands of hours over the course of the year.

If you’re interested in other D3 Smart SOAR use cases, see our playbooks for Trojans and Remote File Downloads here:

  1. Investigate Trojan Alerts in Seconds with SentinelOne, VirusTotal, and Azure Active Directory
  2. Playbook Breakdown: Cross-Stack Analysis with CrowdStrike, Zscaler, and Active Directory
Social Icon
Pierre Noujeim

Pierre Noujeim is a Product Marketing Manager with a cyber security engineering background. Having implemented SOAR at enterprise organizations as well as for D3's MSSP partners, Pierre has rich and varied insight into integrations, use cases and the cyber security vendor landscape. A dedicated product marketer, Pierre represents D3 at analyst briefings, webinar workshops and industry conferences such as RSA and Black Hat.