Skip to main content
Splunk Lantern

Managing known phishing email addresses


  • Product: Splunk Enterprise or Splunk Cloud Platform
  • Feature: Search
  • Function: Exchange message trace


Your users report receiving a large number of phishing emails lately. You want to gather information about these messages so that you can create better filters on your network.


To optimize the search shown below, you should specify an index and a time range.

  1. Run the following search:
    |stats VALUES(FromIP) VALUES(SenderAddress) VALUES(Size) Values(Subject) BY RecipientAddressConclusion


Splunk Search Explanation
sourcetype="ms:o365:reporting:messagetrace" Search only O365 message trace logs.
|stats VALUES(FromIP) VALUES(SenderAddress) VALUES(Size) Values(Subject) BY RecipientAddress Return the values shown for each message and group the results by recipient address.

Additional resources

These additional Splunk resources might help you understand and implement these recommendations:

  • Was this article helpful?