CanIPhish can integrate with Microsoft 365 through the Graph API to quarantine emails reported through CanIPhish's Outlook Report Email Add-in. Implementing this quarantining functionality significantly improves the email report experience, as reporters don't need to manually move emails to the trash or spam folders after a report takes place.
Additionally, you as the administrator gain powerful capabilities over deciding what type of emails should be quarantined, with the ability to report actual spam/phishing emails to Microsoft, or even recover emails accidentally reported as spam/phishing,
To get started, please follow the steps outlined below.
Note: For Email Quarantine functionality to work, you must be using CanIPhish's Outlook Report Email Add-in. Emails reported through CanIPhish's Report Email Forwarding Address cannot be quarantined.
Table of Contents
- Step 1. Create An App Registration In Microsoft
- Step 2. Configure Email Quarantining in CanIPhish
- Frequently Asked Questions
Step 1. Create An App Registration In Microsoft
1.1. Login to the Microsoft Azure account linked to your Microsoft 365 Tenant: https://portal.azure.com/
1.2. In the search bar at the top of the page, search for "App registrations" and click on the corresponding Service.
1.3. Click New Registration to create a new App Registration:
1.4. Provide the app with a unique and distinguishable name (e.g. CanIPhish Email Quarantine Connector), leave the other options on their default setting (as shown below) and then click the Register button:
1.5. While on the Overview page, copy the Application ID and Tenant ID values to your clipboard or a text editor as you'll need them later:
1.6. Click on the Manage > API permissions tab on the left:
1.7. Click the Add a permission button:
1.8. Click the "Microsoft Graph" API:
1.9. Click "Application permissions":
1.10. In the search box type in: "Mail.ReadWrite" and then expand the "Mail" permission, selecting the "Mail.ReadWrite" permission.
1.11. Now, change the search to look for: "User.Read.All" and then expand the "User" permission, selecting the "User.Read.All" permission.
1.12. Now, change the search to look for: "ThreatSubmission.ReadWrite.All" and then expand the "ThreatSubmission" permission, selecting the "ThreatSubmission.ReadWrite.All" permission.
1.13. Click the Add permissions button at the bottom of the page to add the three permissions we've selected:
1.14. Confirm that all the permissions appear in the API Permissions table:
1.15. You'll notice that a warning dialog appears next to each permission which is indicating that admin consent hasn't yet been granted. This is required to allow these permissions to work effectively. Click the Grant admin consent... button directly above the table. After, you'll notice the Status will indicate access has been granted.
1.16. Now change to the Manage > Certificates & secrets tab:
1.17. Click the New client secret button:
1.18. In the dialog that appears on the right of your screen, provide the secret with a descriptive name (e.g. "CanIPhish DMI Connector Secret") and an expiration date - we recommend the maximum of 730 days (upon expiration you need to provision a new secret). Then click Add:
1.19. Your secret will now appear in the Client secrets table. Copy the Value of your newly created secret to your clipboard or text editor:
1.20. You should now have the Application ID, Tenant ID, and Client Secret all stored in your text editor.
Step 2. Configure Email Quarantining in CanIPhish
2.1. Login to your CanIPhish account and navigate to the Reporting page and then to the Reported Emails tab. Finally, click the Advanced Settings button.
2.2. In the popup that appears, go to the Quarantine tab, and then click the Microsoft 365 radio button to begin the begin the integration process for Microsoft 365.
2.3. A popup will appear prompting you to enter an Application ID, Tenant ID, and Client Secret. Each of these will have been gathered during the App registration process followed in Step 1. One-by-one, paste these values into their respective fields, and then click Save Credentials.
2.4. The credentials will be tested, and if successful, they will be saved, and the Integration Status will be set to Active.
2.5. Configure the Quarantine Settings to suit your needs and then click Apply Updates to finalize the integration. For information on what each setting does, please see the Frequently Asked Questions below.
You're all done!
Frequently Asked Questions
I'm quarantining emails that require analysis, but I want those marked as Not Phish and Not Spam to be restored.
You're in luck! If you've configured CanIPhish to quarantine emails that have an attribution of "Analysis Required", and then later mark those emails as "Not Phish" and "Not Spam", CanIPhish has built-in functionality to restore these emails, so long as those attribution statuses aren't marked for quarantining. For an example of the recommended configuration, please refer to the screenshot below:
Why does CanIPhish require the requested Microsoft Graph API permissions?
Each permission serves a particular purpose, as follows:
User.Read.All: Used to get the Microsoft 365 User ID for individual users who reported emails. This ID is required so we can identify which user requires an email to be quarantined.
Mail.ReadWrite: Used to move the reported email into Junk or Deleted Item folders. Emails are reported by contacting the Graph API and providing the Message ID and User ID to Microsoft.
ThreatSubmission.ReadWrite.All: Used to send a threat submission to Microsoft, which contains the reported email. This helps to train Microsoft's detection algorithms to help prevent future emails of this nature from being received by other individuals within your organization.
If emails that require analysis are set to be quarantined, does quarantining occur immediately after the report is received?
Near immediately! If your quarantine configuration dictates that emails that require analysis are to be quarantined, then they will be quarantined within 5-40 seconds of the user performing the initial report.
Comments
0 comments
Please sign in to leave a comment.